Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ

Vivisica, I'm seeing some indications that argparse is installed on Virtual Edition BIG-IQ to satisfy some specific dependencies there. It looks like it might normal for it to be absent from a hardware BIG-IQ. We might need to update the script to use a different argument parsing method.

Yep, that is what I was told from the F5 engineer that I am working with. I'm using hardware and it came with 2.6 and argparse wasn't introduced until 2.7. He is checking to see if I can safely upgrade my devices to 2.7 or if the script needs to be rewritten. Thanks for the assistance.

@Vivisica

We have updated the script to remove dependency on argparse, not installed on hardware BIG-IQ.

Thanks so much Roman.

I have these two unless I'm doing something very wrong...I've never used python before this so its a strong possibility. I tried the IP two different ways running from the scripts directory.

[root@bigiqmgmt01:Active:Standalone] scripts ./import-bigip-cert-key-crl.py x.x.x.x Traceback (most recent call last): File "./import-bigip-cert-key-crl.py", line 34, in import requests ImportError: No module named requests [root@bigiqmgmt01:Active:Standalone] scripts ./import-bigip-cert-key-crl.py -bash: syntax error near unexpected token `newline'

Sorry Vivisica, it looks like argparse is not the only module that is missing on hardware BIG-IQ. Unfortunately we primarily test on virtual devices.

Adapting the script to avoid argparse was relatively easy, but avoiding requests seems significantly more difficult (and I can't be sure that it would work at that point).

I'm not sure what the next steps should be. In principle I think it should be possible to install the missing packages from the BIG-IQ ISO file, but it's not certain that this action would be safe. There may be other ways to add the modules more safely. I'll have to look at options and see if we can find something.

I have a procedure that might get the script working on hardware, but it's only partially tested so far. This would work for the new version or the previous version using argparse (which is probably a little better because argparse is more advanced and easier to use, making the script code in that version a bit better).

The steps are 1) use the pip command to install the missing packages in a temporary location, then 2) run the script using python2.7 and directing it to the temporary package location. Optionally the package directory can be removed at the end. python2.7 is required here because pip is built to use it, so the packages it installs will use Python 2.7 features and will not work in the default Python 2.6. I'm not sure what BIG-IQ version added Python 2.7, but I've tested this on BIG-IQ 6.1.

Step 1: Install packages using pip, targeting a location of your choice:

 mkdir py-modules
 pip install --target py-modules requests argparse

Step 2: Run using python2.7, and adding py-modules to the python path:

 PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py --help    

This will show the help message if everything is working. From there I'd expect the script to work, just continue to run it with the PYTHONPATH environment variable and using python2.7.

Ok, thanks. Seems there are a lot of significant differences between hardware and VE that has made this deployment very difficult as everything is really designed for VE and not hardware. I do have 2.7 on the boxes in /usr/local/lib so that's a plus in my favor. I will continue to tinker with it until I can get it to work.

I'm currently running 6.1 .0 build 0.0.1224 on the 7000 hardware.

@Vivisica, did the steps described by goodsell worked?