cancel
Showing results for 
Search instead for 
Did you mean: 

Modifying SSL Profile via REST API

Bastian123234_2
Nimbostratus
Nimbostratus

Hello everyone,

 

Iam currently testing the REST API and having trouble with some simple changes on a SSL profile. Iam using local authentication, trying to modify a certificate used in a test profile, however iam getting an error. I do not find any documentation regarding the issue, hence i hope someone here could point me to the right direction.

 

My code looks as following (By the way, iam using Ruby.). Basically it is just pushing the data. I got the format via a GET request to be sure to have the right format. The values i changed in this request are: "certKeyChain" => "name", "cert" and "key".

 

@session = RestClient::Resource.new('https://10.70.235.105/mgmt/tm', :verify_ssl => false, :user => "admin", :password => "admin") open session c = {"kind"=>"tm:ltm:profile:client-ssl:client-sslstate", "name"=>"test_bastian", "partition"=>"Common", "fullPath"=>"/Common/test_bastian", "generation"=>1702, "selfLink"=> "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian?ver=12.1.2", "alertTimeout"=>"indefinite", "allowDynamicRecordSizing"=>"disabled", "allowExpiredCrl"=>"disabled", "allowNonSsl"=>"disabled", "authenticate"=>"once", "authenticateDepth"=>9, "cacheSize"=>262144, "cacheTimeout"=>3600, "cert"=>"/Common/new_test.crt", "certReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"}, "certExtensionIncludes"=>["basic-constraints", "subject-alternative-name"], "certLifespan"=>30, "certLookupByIpaddrPort"=>"disabled", "chain"=>"/Common/new_test.crt", "chainReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"}, "ciphers"=>"DEFAULT", "defaultsFrom"=>"/Common/clientssl", "defaultsFromReference"=> {"link"=> "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~clientssl?ver=12.1.2"}, "forwardProxyBypassDefaultAction"=>"intercept", "genericAlert"=>"enabled", "handshakeTimeout"=>"10", "inheritCertkeychain"=>"false", "key"=>"/Common/new_test.key", "keyReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"}, "maxActiveHandshakes"=>"indefinite", "maxAggregateRenegotiationPerMinute"=>"indefinite", "maxRenegotiationsPerMinute"=>5, "maximumRecordSize"=>16384, "modSslMethods"=>"disabled", "mode"=>"enabled", "tmOptions"=>["dont-insert-empty-fragments"], "peerCertMode"=>"ignore", "peerNoRenegotiateTimeout"=>"10", "proxySsl"=>"disabled", "proxySslPassthrough"=>"disabled", "renegotiateMaxRecordDelay"=>"indefinite", "renegotiatePeriod"=>"indefinite", "renegotiateSize"=>"indefinite", "renegotiation"=>"enabled", "retainCertificate"=>"true", "secureRenegotiation"=>"require", "sessionMirroring"=>"disabled", "sessionTicket"=>"disabled", "sessionTicketTimeout"=>0, "sniDefault"=>"false", "sniRequire"=>"false", "sslForwardProxy"=>"disabled", "sslForwardProxyBypass"=>"disabled", "sslSignHash"=>"any", "strictResume"=>"disabled", "uncleanShutdown"=>"enabled", "certKeyChain"=> [{"name"=>"default", "cert"=>"/Common/default.crt", "certReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"}, "chain"=>"", "chainReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"}, "key"=>"/Common/default.key", "keyReference"=> {"link"=> "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"}}]} build data c = c.to_json push_profile = @session["ltm/profile/client-ssl/~Common~" + profile].put(c, :content_type => :json) push data

When running the script, i get the following errors:

 

RestClient.put "https://10.70.235.105/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian", 2467 byte(s) length, "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"2467", "Content-Type"=>"application/json", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111" => 400 BadRequest | application/json 145 bytes {"code":400,"message":"010717e7:3: cert-key-chain and profile cert, key or chain options cannot be input together.","errorStack":[],"apiError":3}

would be nice to get some feedback 🙂

 

1 ACCEPTED SOLUTION

Bastian123234_2
Nimbostratus
Nimbostratus

thanks for your feedback PK, but i found the issue:

 

  • first of all, I pulled the whole profile, changed the settings and pushed it again. This does not work. You have to push only the values you want change, in this case "cert", "key", and "chain".
  • second: i tried to change the mentioned values in "certKeyChain", however there are other key/value pairs within the hash I needed to change. It is a bit confusing, since they have the same name, and from my point of view, it makes more sense that the ones in the certKeyChain are the correct ones, but this is not the case.

so all i had to push is:

 

{"cert"=>"/Common/new_test.crt", "key"=>"//Common/new_test.key", "chain"=>"/Common/new_test.crt"}

View solution in original post

3 REPLIES 3

P_K
MVP
MVP

"certKeyChain"=>

 

[{"name"=>"default",

 

"cert"=>"/Common/default.crt", // this should be new_test.crt

 

"certReference"=>

 

Bastian123234_2
Nimbostratus
Nimbostratus

thanks for your feedback PK, but i found the issue:

 

  • first of all, I pulled the whole profile, changed the settings and pushed it again. This does not work. You have to push only the values you want change, in this case "cert", "key", and "chain".
  • second: i tried to change the mentioned values in "certKeyChain", however there are other key/value pairs within the hash I needed to change. It is a bit confusing, since they have the same name, and from my point of view, it makes more sense that the ones in the certKeyChain are the correct ones, but this is not the case.

so all i had to push is:

 

{"cert"=>"/Common/new_test.crt", "key"=>"//Common/new_test.key", "chain"=>"/Common/new_test.crt"}

@Bastian123234_2  

Thanks for the solution. However this is not working for me if i just send the payload you mentioned. I get an error "one or more configuration identifiers must be provided". Not sure what's missing. Any idea ?

Also, in your request, where do you specify which SSL profile you need to update since it's neither mentioned in the payload not in your url ?