Enable OCSP Stapling via REST API

lnxgeek · ‎23-Feb-2022

Hi all

I'm struggling with the command syntax that will apply my OCSP stabling configuration on a certificate. I have found a workaround by pushing native tmsh commands via the bash api like this:

curl -sk -u admin:password POST -H "Content-type: application/json" https://bigip-mgmt-ip/mgmt/tm/util/bash -d "{\"command\":\"run\", \"utilCmdArgs\": \"-c 'tmsh modify sys crypto cert example.com_2021-12-12 cert-validation-options { ocsp } cert-validators replace-all-with { letsencrypt_ocsp_R3 } issuer-cert R3_LE_2025'\"}"

It works but I find it crude and against the idea of using the API. I would very much like to be able to do it all REST API native but all tries ends up in:

{"code":415,"message":"Found invalid content-type. The content-type must be application/json. The received content-type is application/x-www-form-urlencoded","errorStack":[],"apiError":1}

Any input is very much appricaited!

JRahm · ‎01-Mar-2022

Hi @lnxgeek, give this a shot:

## Human Readable ##
POST
to: https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/cert-validators
body: {“name": "letsencrypt_ocsp_R3"}

PATCH
to: https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/
body: {“certValidationOptions": ["ocsp"], "issuerCert": "RE_LE_2025"}

## CURL COMMANDS ##
curl -X POST \
  'https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/cert-validators' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.io)' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{"name": "letsencrypt_ocsp_R3"}'

curl -X PATCH \
  'https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.io)' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{"certValidationOptions": ["ocsp"], "issuerCert": "RE_LE_2025"}'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

View solution in original post

JRahm · ‎01-Mar-2022

Hi @lnxgeek, give this a shot:

## Human Readable ##
POST
to: https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/cert-validators
body: {“name": "letsencrypt_ocsp_R3"}

PATCH
to: https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/
body: {“certValidationOptions": ["ocsp"], "issuerCert": "RE_LE_2025"}

## CURL COMMANDS ##
curl -X POST \
  'https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/cert-validators' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.io)' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{"name": "letsencrypt_ocsp_R3"}'

curl -X PATCH \
  'https://ltm3.test.local/mgmt/tm/sys/file/ssl-cert/example.com_2021-12-12/' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.io)' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{"certValidationOptions": ["ocsp"], "issuerCert": "RE_LE_2025"}'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

JRahm · ‎01-Mar-2022

also note that the /sys/crypto interface shouldn't be used period with the iControl REST interface, use /sys/file/ssl-key, /sys/file/ssl-cert, and /sys/file/ssl-csr instead.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

lnxgeek · ‎02-Mar-2022

Works like a charm 😄

Thanks for your help Jason!

DevCentral

Enable OCSP Stapling via REST API