Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ
| The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions. |
This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP.
Steps performed by the script:
- Gather certificate and key metadata (including cache-path) from BIG-IPs
- Download certificate and key file data from BIG-IPs
- Upload certificate and key file data to BIG-IQ
Prerequisite: Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account.
Installation: The script must be installed in BIG-IQ under /shared/scripts:
# mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.pyCommand example:
# ./import-bigip-cert-key-crl.py <big-ip IP address>Enter the root user's password if prompted.
Allowed command line options: -h show this help message and exit -l LOG_FILE, log to the given file name --log-level {debug,info,warning,error,critical}, set logging to the given level (default: info) -p PORT BIG-IP ssh port (default: 22)
Result: Configuration > Certificate Management > Certificates & Keys
Before running the script:
After running the script:
Location of the scripts on GitHub: https://github.com/f5devcentral/f5-big-iq-pm-team
In case you BIG-IQ is running on Hardware:
Step 1: Install packages using pip, targeting a location of your choice
# mkdir py-modules# pip install --target py-modules requests argparseStep 2: Run using python2.7, adding py-modules to the python path
# PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>Updated Jun 06, 2023
Version 3.0
megakoreshNimbostratus
@goodsell @Roman we have implemented that fix and yeah now the incompatible version disappeared. Back to the EOF exception:
2019-03-20 09:04:48,797:INFO:['bash', '-c', 'python -c \'import f5.mcp, pickle;attrs=["cache_path","name","checksum","passphrase"];m=lambda d: dict((k,v) for (k,v) in d.items() if k in attrs);r=f5.mcp.MCPConnection().query_all("certificate_file_object");print pickle.dumps([m(o) for o in r])\''] Traceback (most recent call last): File "./import-bigip-cert-key-crl.py", line 655, in sys.exit(main()) File "./import-bigip-cert-key-crl.py", line 643, in main unmanaged_files = find_all_unmanaged_objects(session, conn) File "./import-bigip-cert-key-crl.py", line 538, in find_all_unmanaged_objects unmanaged_files += find_unmanaged_objects(session, bigip_connection, typ) File "./import-bigip-cert-key-crl.py", line 484, in find_unmanaged_objects object_type.mcp_type_name) File "./import-bigip-cert-key-crl.py", line 440, in get_bigip_file_objects return pickle.loads(stdout) File "/usr/lib/python2.6/pickle.py", line 1374, in loads return Unpickler(file).load() File "/usr/lib/python2.6/pickle.py", line 858, in load dispatch[key](self) File "/usr/lib/python2.6/pickle.py", line 880, in load_eof raise EOFError EOFErrorWe had to wrap the command in bash -c because by default your script does not execute bash and therefore cant find python.
UPD: We have changed default shell for the user we use to login to bash in /etc/passwd and then your module worked when we removed the whole bash -c thing. However we do require it in the end, so do you have any idea of how we could execute it on a user that connects to tmsh by default?
@megakoresh You shouldn't need to modify the script or wrap it in bash.
Could you confirm you have !/usr/bin/env python in the first line of the file?
Which version of BIG-IQ and BIG-IP are you using?
Are you running the script in bash mode, not tmsh?
- megakoresh
@Roman
We have the shebang line. We are running the script from bash mode on bigIQ which is version 6.0.1.1 The problem is that it uses ssh to connect to the bigIP and since we can't use the root user, we use an admin account and that connects to tmsh on BigIP by default, not bash. So it cannot use python - the python command does not work, you have to switch BigIP to bash mode as well. BigIP is version 13.1.1.2-0.0.4
After we switched the admin user's default shell to /bin/bash everything worked as expected without modifications, but we cant login to every loadbalancer and change the admin user's shell just for this script to work.
@megakoresh Why don't you create a one off script using root user to give admin user bash shell access to your 20+ Bigips?
Or, it might be faster to manually do this change on your 20+ Bigips than spending the time l trying to make the script work in a way it wasn't designed to work originally :)
- megakoresh
@Roman
Didn't I say that we can't use root on BigIPs? What you are suggesting is for us to create a script that would ssh to all of those loadbalancers and change the default shell to bash for the admin account, and that leaves us with exactly the same problem - because the default shell is not bash and we would have to switch to bash after ssh-ing first to be able to use tools like sed to edit /etc/passwd file.
If there's some other way to quickly switch default ssh shell on BigIPs I would like to know it.
@megakoresh You can change the default shell for admin using the following command:
tmsh modify auth user admin shell bash
VivisicaIs anyone running into this issue? I have confirmed that I am running the correct version of phyton. I have made no modifications at all to the script nor to python. I have tested this numerous times and always the same error.
Traceback (most recent call last): File "./import-bigip-cert-key-crl.py", line 27, in import argparse ImportError: No module named argparse
Update: I just checked both of my 7000's and they are both running 2.6 and neither one of the installations out of the box have argparse in the phyton folder.
Vivisica, to the best of my knowledge argparse should be installed on BIG-IQ, though yours is not the first report I've heard of it not being found. What version of BIG-IQ are you running? I would try the following and look for anything fishy:
python -c 'import sys; print sys.path; print; import argparse; print argparse.__file__'If argparse is not being found then I wouldn't expect this to all work, but it could give clues. In my case, I see the following output:
['', '/usr/lib/python26.zip', '/usr/lib/python2.6', '/usr/lib/python2.6/plat-linux2', '/usr/lib/python2.6/lib-tk', '/usr/lib/python2.6/lib-old', '/usr/lib/python2.6/lib-dynload', '/usr/lib/python2.6/site-packages', '/usr/lib/python2.6/site-packages/setuptools-0.6c11-py2.6.egg-info'] /usr/lib/python2.6/site-packages/argparse.pycThis tells me that argparse is installed in site-packages, which is (of course) present in the python system path. You could try checking that argparse is present in your site-packages folder, and that site-packages is in the python path.
- Vivisica
I'm running 6.1.0 build 0.0.1224. I did do an additional search in /usr/local/lib and 2.7 is there as well as argparse. I just do not know if I should copy it to /usr/lib. I ran the command you provided and this is the output.
python -c 'import sys; print sys.path; print; import argparse; print argparse.__file__'['', '/usr/lib/python26.zip', '/usr/lib/python2.6', '/usr/lib/python2.6/plat-linux2', '/usr/lib/python2.6/lib-tk', '/usr/lib/python2.6/lib-old', '/usr/lib/python2.6/lib-dynload', '/usr/lib/python2.6/site-packages']
Traceback (most recent call last): File "", line 1, in ImportError: No module named argparse
To me that looks like the system has been modified somehow to remove the argparse package, but maybe there's some reason it would not be installed in your case. Please try this command on BIG-IQ:
rpm -ql python-argparseThis should list the installed files for the package or report that it isn't installed.
