I am unable to find specific explanation on execution procedure. can you please guide? This will help me as well as many other users as well who wants to try this.

Could you clarify what you mean by execution procedure? Are you asking how to get the script to execute at a basic level? If so, either make it executable (chmod +x ...) and then run it (./f5_old_cert_key_profile_cleanup.py -h") or run it as an argument to python (e.g. "python f5_old_cert_key_profile_cleanup.py -h").

Can i run it from BIGIQ on my LB inventory?

it doesn't leverage BIG-IQ inventory. Theoretically you could run it from BIG-IQ system command line, but it has no BIG-IQ interaction.

Hi Chad,

I figured out how to run this script. Its working. However, can you add one condition here. If clientssl profile is attached with VS and has expired cert/key, can we get option to detach SSL profile from VS and then delete?

Thanks a lot for the script !

OR is there any way to change the cert & key to any of the defaults cert/key in clientssl profile(who has old cert/key)? Sorry but this is really a road block at this moment for last 2 companies where i worked to prune the SSL cert/key configuration.

Naumin, it seems based on your request that you have a large number of virtual servers that have a client-ssl profile attached to them that points to an expired SSL certificate. This seems highly unexpected as clients accessing the virtual servers would see problems because of the expired certificates. Do you have a large number of virtual servers in this state? I'd think resolving them manually by altering the virtual server to point to a client ssl profile that has a valid (unexpired) cert would be an urgent configuration change you should make.

It certainly is possible to enhance the script to do what you are requesting, but I wouldn't expect many F5 users to have active virtual servers that have an expired certificate attached (via a client-ssl profile).

Thanks Chad. Yeah i will do it manually, however, just observed backup is not working if we say Yes to delete SSL profile/cert/key. i know mybackup() function was called but its not working. will debug the script and keep you posted with my results. Thanks for the script ! Its really helpful.

Hi Chad,

Looks like iControl Rest API calls are not working in TMOS 11.x as we are getting below error while trying to run on 11.5.1 & 11.6.0 devices. 1. we are using correct credentials and same is working on higher version. 2. We have tried admin(local user) also, but it is still not working and getting same error msg.

As per the script print msg, it is stating we are getting HTTP 401 code.

Please help or advice, if any workaround is available.

py f5_old_cert_key_profile_cleanup.py --user xxx --bigip --reportonly Password for xxx: attempt to obtain authentication token failed due to invalid credentials Traceback (most recent call last): File "f5_old_cert_key_profile_cleanup.py", line 104, in for cert in retrievedcerts['items']: KeyError: 'items'

are you certain credentials are correct? Additionally, is the user account you are attempting to use local to the BIG-IP or contained in a directory (e.g. LDAP) that the BIG-IP is pointed to. If this is the case, then there are known challenges with use of iControl REST with remote users in old versions of TMOS (e.g. 11.x). Workaround is to either use a local user account or upgrade to newer TMOS.

https://cdn.f5.com/product/bugtracker/ID471136.html

Hi Chad,

What a Perfect catch! yes this is the cause, my credentials were correct but it uses remote authentication via RADIUS, and as you suggested for workaround by using local admin account resolves this issue. Thanks for sharing BUGID. Just to update, there is one issue with using this script, we have to disassociate serverssl profile from VIPs manually. As for VIPs who are used for SSL bridging(contains clientssl and serverssl) will be impacted if we disassociate only clientssl profile.

So I am working on addition in your code(may be you can help) to disassociate respective serverssl profile(if any) for the VIPs who are having clientssl profile with expired certs, but stuck on data formatting part, the way you did is just perfect.

Thanks for your swift response!

The reason I didn’t tackle dissociating clientssl profile with an expired cert from a virtual is that in my opinion that’s something that needs fixing outside of the script and then once fixed you would then run the cleanup script.

understood, but atleast we can add function in reportonly "for loops" to pull serverssl profile for those VIPs who are using Expired/expiring soon clientssl profile?

so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?

I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs? Seems to me that not long after the cert expires, you'd get user reports complaining about expired cert and then you'd fix it, such that few BIG-IPs that are actively used will have expired certs attached to clientssl profiles attached to active virtual servers.

"so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?"

Yes, We want this, however it is ok to not remove them/untag them from VS config via script but atleast can get those names when use "--reportonly".

"I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs?"

I know it sound weird but sadly answer is Yes, we have many VSs who are UP and using expired cert profiles. Seems like those are not used by app teams. Ideally those VSs should be decommissioned but instead of following up with individuals for decommission those VIPs, we want to silently removing SSL offloading from LB side so that there applications will work as it was working before this activity.

Nice job, Chad! Using this today!

Hi Chad, 

Thanks  for sharing the script. However I am facing some issue while running the script.snippets are attached can you help me with this.

This script marks certs with expiration date more than one month as soontoexpired also.

I run it with arg days equal 1 (and 0) and received result in picture.
Can you fix it? Thank you.

VE/BIG-IP 15.1.7 Build 0.0.6 Final