Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Automate Let's Encrypt Certificates on BIG-IP

JRahm
Community Manager
Community Manager

‎30-Mar-2022 09:00 - edited ‎31-Mar-2022 13:33

To quote the evil emperor Zurg: "We meet again, for the last time!" It's hard to believe it's been six years since my first rodeo with Let's Encrypt and BIG-IP, but (uncompromised) timestamps don't lie. And maybe this won't be my last look at Let's Encrypt, but it will likely be the last time I do so as a standalone effort, which I'll come back to at the end of this article. The first project was a compilation of shell scripts and python scripts and config files and well, this is no different. But it's all updated to meet the acme protocol version requirements for Let's Encrypt. Here's a quick table to connect all the dots:

Description What's Out What's In
acme client letsencrypt.sh dehydrated
python library f5-common-python bigrest
BIG-IP functionality creating the SSL profile utilizing an iRule for the HTTP challenge

The f5-common-python library has not been maintained or enhanced for at least a year now, and I have an affinity for the good work Leo did with bigrest and I enjoy using it. I opted not to carry the SSL profile configuration forward because that functionality is more app-specific than the certificates themselves. And finally, whereas my initial project used the DNS challenge with the name.com API, in this proof of concept I chose to use an iRule on the BIG-IP to serve the challenge for Let's Encrypt to perform validation against.

Whereas my solution is new, the way Let's Encrypt works has not changed, so I've carried forward the process from my previous article that I've now archived. I'll defer to their how it works page for details, but basically the steps are:

  1. Define a list of domains you want to secure
  2. Your client reaches out to the Let’s Encrypt servers to initiate a challenge for those domains.
  3. The servers will issue an http or dns challenge based on your request
  4. You need to place a file on your web server or a txt record in the dns zone file with that challenge information
  5. The servers will validate your challenge information and notify you
  6. You will clean up your challenge files or txt records
  7. The servers will issue the certificate and certificate chain to you
  8. You now have the key, cert, and chain, and can deploy to your web servers or in our case, to the BIG-IP

Before kicking off a validation and generation event, the client registers your account based on your settings in the config file. The files in this project are as follows:

 

/etc/dehydrated/config # Dehydrated configuration file
/etc/dehydrated/domains.txt # Domains to sign and generate certs for
/etc/dehydrated/dehydrated # acme client
/etc/dehydrated/challenge.irule # iRule configured and deployed to BIG-IP by the hook script
/etc/dehydrated/hook_script.py # Python script called by dehydrated for special steps in the cert generation process
# Environment Variables
export F5_HOST=x.x.x.x
export F5_USER=admin
export F5_PASS=admin

 

You add your domains to the domains.txt file (more work likely if signing a lot of domains, I tested the one I have access to). The dehydrated client, of course is required, and then the hook script that dehydrated interacts with to deploy challenges and certificates. I aptly named that hook_script.py. For my hook, I'm deploying a challenge iRule to be applied only during the challenge; it is modified each time specific to the challenge supplied from the Let's Encrypt service and is cleaned up after the challenge is tested. And finally, there are a few environment variables I set so the information is not in text files. You could also move these into a credential vault. So to recap, you first register your client, then you can kick off a challenge to generate and deploy certificates. On the client side, it looks like this:

 

./dehydrated --register --accept-terms
./dehydrated -c

 

Now, for testing, make sure you use the Let's Encrypt staging service instead of production. And since I want to force action every request while testing, I run the second command a little differently:

 

./dehydrated -c --force --force-validation

 

Depicted graphically, here are the moving parts for the http challenge issued by Let's Encrypt at the request of the dehydrated client, deployed to the F5 BIG-IP, and validated by the Let's Encrypt servers. The Let's Encrypt servers then generate and return certs to the dehydrated client, which then, via the hook script, deploys the certs and keys to the F5 BIG-IP to complete the process.

Let's Encrypt.png

 And here's the output of the dehydrated client and hook script in action from the CLI:

 

# ./dehydrated -c --force --force-validation
# INFO: Using main config file /etc/dehydrated/config
Processing example.com
 + Checking expire date of existing cert...
 + Valid till Jun 20 02:03:26 2022 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for example.com
 + A valid authorization has been found but will be ignored
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + (hook) Deploying Challenge
 + (hook) Challenge rule added to virtual.
 + Responding to challenge for example.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + (hook) Cleaning Challenge
 + (hook) Challenge rule removed from virtual.
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + (hook) Deploying Certs
 + (hook) Existing Cert/Key updated in transaction.
 + Done!

 

This results in a deployed certificate/key pair on the F5 BIG-IP, and is modified in a transaction for future updates.

le_certs_bigip.pngle_cert_details.png

This proof of concept is on github in the f5devcentral org if you'd like to take a look. Before closing, however, I'd like to mention a couple things:

  1. This is an update to an existing solution from years ago. It works, but probably isn't the best way to automate today if you're just getting started and have already started pursuing a more modern approach to automation.
  2. A better path would be something like Ansible. On that note, there are several solutions you can take a look at, posted below in resources.

Resources

 

 

Comments
nikzin
Altocumulus
Altocumulus
‎31-Mar-2022 21:37

Great article. Can i use this solution for other CAs than LE, if they support ACME ?

0 Kudos
EM
Nimbostratus
Nimbostratus
‎31-Mar-2022 23:43

Heya! 

Nice article! Just dropping an info:

There is a pypi plugin for the certbot client as well.

https://pypi.org/project/certbot-bigip/

We maintain and use it for ourselfes and some of our customers use it as well.

0 Kudos
JRahm
Community Manager
Community Manager
‎01-Apr-2022 11:26

@nikzin the F5 side should "just work" but would need to make sure source directory locations for certs/keys were updated if there's a change. But yeah, this could be used as long as acme is supported elsewhere, no promises on it being ready to go, probably some tuning required.

@EM nice! I though about integrating it all into python instead of keeping the domains separate with bash, but decided on expediency. 

0 Kudos
PSFletchTheTek
MVP
MVP
‎21-Jun-2022 08:24

Hi @JRahm, i'm no expert with any of this stuff!
I'm struggling to work out from the info above how to get this working.
Do i need to run this from the f5 or a seperate machine?
I like the idea of using a irule to do the HTTP Challenge as my f5 is the only thing allowed presented on the environment!
Any implementation guides online anywhere?
Ta Fletch

0 Kudos
JRahm
Community Manager
Community Manager
‎21-Jun-2022 10:56

Hi @PSFletchTheTek, definitely from a separate machine. This isn't an officially supported solution, so the only implementation guide is what I wrote above. Feel free to post any attempt details as a question in the forum and tag me and I'll take a look to see if I can help you get un-stuck.

0 Kudos
PSFletchTheTek
MVP
MVP
‎22-Jun-2022 01:38

Thanks @JRahm , 

That makes a little more sense now, espically why you where suggesting things like ansible to do the work instead!
I've got a ansible server with the f5 on the to do list, i'll add cert management to that to do list.

As i said i really like the irule approach for the response code, i just need to work out how it works now!
I need to work out where TOKENVALUE is defined.
Then how i can reproduce that in a ansible script.

0 Kudos
JRahm
Community Manager
Community Manager
‎22-Jun-2022 08:49

Ah..the TOKENVALUE is a placeholder in the iRule that the python hook script replaces from the challenge received from Let's Encrypt. This is done automatically for you each time, as the iRule template is modified, uploaded, challenged, and then removed.

0 Kudos
kgaigl
Cirrocumulus
Cirrocumulus
‎16-Aug-2022 23:27

Hello,

I see I can enroll Certs with this scripts (although I've got problems to understand), but how can I put this certs in a SSL-Profile?

We've got a VS for our Homepage with a SSL-Client Profile and there are about 25 URL's pointing to this VS. One SSL-Profile is the default SNI Profile and we've got 25 other SSL-Profiles with the corresponding Certs (I know this is not very smart, we could put all Common Names as SAN's to one Cert, but I'm not sure how this works with SNI)

So I think we can't automate the complete process to renew the Certs, right?

Is there any other way?

Our webteam is asking if they can switch to lets enrypt and I can't see a way to automate this

The Certs are all from Digicert

JRahm
Community Manager
Community Manager
‎17-Aug-2022 10:01

Hi @kgaigl...yes, you can do that. Because this script updates the certs/keys in a transaction, it will not complain that they are attached to an existing ssl-profile.

Creating/updating ssl-profiles can also be automated, but I would probably segment that logic out into a different script (and even this script might need some massaging for your needs), maybe one that manages the needs for which domains are secured, and then calls the lets-encrypt action to create/upload certs, makes sure they are there, then acts on adding/updating/removing the appropriate key/value pairs in the profile as necessary.

kgaigl
Cirrocumulus
Cirrocumulus
‎17-Aug-2022 23:09

Hi JRahm,

 

thank you but I guess this is beyond my skills.

Maybe I'll ask our Support Partner, but I'm afraid of finding solutions if something goes wrong

JRahm
Community Manager
Community Manager
‎18-Aug-2022 08:24

Maybe a project you could take on to build those skills! Happy to provide pointers/feedback along the way.

0 Kudos
TimRiker
Cirrostratus
Cirrostratus
‎08-Sep-2022 16:48

I tried this to create SAN certificates and got failures as the added irule can only handle one challenge at a time.

I moved the challenge to a datagroup. Changed the setup to run as non-root, and created a pull request:

https://github.com/timriker/lets-encrypt-python

https://github.com/f5devcentral/lets-encrypt-python/pull/8

JRahm
Community Manager
Community Manager
‎09-Sep-2022 09:37

Hi @TimRiker, I'll take a look, thanks for the PR!

ViktorBidnenko
Nimbostratus
Nimbostratus
‎24-Apr-2023 13:28

Hi, do I need to have a valid cert on managment ip of big-ip? I think using self-signed does not work.

After runnig the script got ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123). But is it possible to find some workaround for this? I have python3.9, maybe this is the issue?

ErrorError

 

 

 

0 Kudos
JRahm
Community Manager
Community Manager
‎24-Apr-2023 13:51

you'll need to set session_verify to False when you instantiate BIG-IP if you are using self-signed certs on BIG-IP for management purposes.

ViktorBidnenko
Nimbostratus
Nimbostratus
‎24-Apr-2023 14:08

Thanks, did not find it before but now I see:

https://bigrest.readthedocs.io/bigip.html

 

TimRiker
Cirrostratus
Cirrostratus
‎24-Apr-2023 19:31

@ViktorBidnenko 
On our site we already order globally signed wildcard certs. We use these same certs with internal hostnames on the same domain as the wildcard cert. Thus the device certs are also globally verified.

0 Kudos
ScottE
MVP
MVP
‎13-Sep-2023 14:23

I moved the environmental variables to configuration files so that it can process multiple certificates, both single and SAN.  Also added a "virtual_servers" file which provides the cross references required to map the certificate name(s) to the virtual host on the LB on which to apply the irule and ssl profile to.

There was also a bug I fixed and added a variable in the hook_script.py file for the parent ssl profile that Tim Riker had added.  I've created a pull request:

https://github.com/ScottECampbell/lets-encrypt-python

https://github.com/f5devcentral/lets-encrypt-python/pull/9

Hopefully I've done this all correctly.  I've been running it via cron for over a month with multiple certificates in the config files without any problems.

0 Kudos
Version history
Last update:
‎31-Mar-2022 13:33
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC