Forum Discussion

bitnoc's avatar
bitnoc
Icon for Nimbostratus rankNimbostratus
May 19, 2020

Enabling OCSP stapling via f5-sdk fails

I want to enable OCSP stapling for a lot of clientSSL profiles, so I thought if'd use the f5-sdk python library. However, my tests so far fail miserably, even without trying to change the actual setting. Here's what I tested:


#! /usr/bin/env python3
from f5.bigip import ManagementRoot
mgmt = ManagementRoot("hostname", "username", "password")
profile = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(partition="Common", name="myprofile")
print(profile.ocspStapling)
profile.update()

This print the current ocpStapling value ('disabled'), but updating the unchanged profile fails:

 

$ python3 ocsp-test2.py
disabled
Traceback (most recent call last):
 File "ocsp-test2.py", line 15, in <module>
   profile.update()
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 617, in update
   self._update(**kwargs)
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 580, in _update
   response = session.put(update_uri, json=data_dict, **requests_params)
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/icontrol/session.py", line 295, in wrapper
   raise iControlUnexpectedHTTPError(error_message, response=response)
icontrol.exceptions.iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/
Text: '{"code":400,"message":"\\"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }\\" unexpected argument","errorStack":[],"apiError":26214401}'

 

I didn't change any settings of the profile, so why would it fail to update? As a test, I removed these SSL options., but that doesn't help either. The error message changes of course, but updating an unchanged profile still fails:


icontrol.exceptions.iControlUnexpected
HTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/
Text: '{"code":400,"message":"01b4002a:3: Client SSL profile (/Common/myprofile):cert-key-chain and profile cert/key/chain/passphrase options cannot be specified together.","errorStack":[],"apiError":3}'

 

I really fail to see what's wrong here and what I need to do to get this to work. Any other suggestions on configuring OCSP stapling via python are welcome too.

BIG-IP
devops
f5-sdk
LTM
ocsp
python
No RepliesBe the first to reply