Forum Discussion

Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Aug 02, 2022
Solved

Unable to update device cert

Hi! Working on a hobby project to manage F5 certificates using Kubernetes and cert-manager (Ref: https://community.f5.com/t5/technical-forum/kubernetes-cert-manager-letsencrypt-f5/td-p/299218). How...
devops
security
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Aug 07, 2022

    Final solution:

     

     

    def set_management_cert(self, cert_name, key_name):

    self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.crt/{cert_name}')
    self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.key/{key_name}')

    self.session.put(
        f'https://{self.device}/mgmt/tm/sys/httpd',
        json={
            'sslCertfile': '/config/httpd/conf/ssl.crt/management.crt',
            'sslCertkeyfile': '/config/httpd/conf/ssl.key/management.key'}
    )
    try:
        logger.info('Restarting httpd')
        self.run_bash_command('bigstart restart httpd; killall -9 httpd;bigstart restart httpd;')
    except:
        logger.info('Waiting for management interface to restart')
        time.sleep(3)
        httpd_config = self.get_httpd_config()

        if os.path.basename(httpd_config['sslCertfile']) == cert_name \
                and os.path.basename(httpd_config['sslCertkeyfile']) == key_name:
            print('Certificate has been updated and the httpd interface is responding')
        else:
            raise Exception('Failed to update the certificate')

     

     

    Thank you for the suggestions and tips Dario_Garrido . Definitely helped me find the solution!

Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP

Came a bit further just now. Looks like SELinux might be making my life harder:

restorecon -RvF  /var/config/rest/downloads/management.crt /config/httpd/conf/ssl.crt/
restorecon -RvF  /var/config/rest/downloads/management.key /config/httpd/conf/ssl.key/

 Then the permission error goes away but restarting the service does not work. Then the article Dario_Garrido gave came in handy:

 

bigstart restart httpd
killall -9 httpd
bigstart restart httpd;

 

Will see if I can solve this further tomorrow. Good input with https://support.f5.com/csp/article/K13292945 Dario_Garrido . Saved me quite some time!

Kind regards,
Patrik

Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Aug 07, 2022

Final solution:

 

 

def set_management_cert(self, cert_name, key_name):

    self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.crt/{cert_name}')
    self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.key/{key_name}')

    self.session.put(
        f'https://{self.device}/mgmt/tm/sys/httpd',
        json={
            'sslCertfile': '/config/httpd/conf/ssl.crt/management.crt',
            'sslCertkeyfile': '/config/httpd/conf/ssl.key/management.key'}
    )
    try:
        logger.info('Restarting httpd')
        self.run_bash_command('bigstart restart httpd; killall -9 httpd;bigstart restart httpd;')
    except:
        logger.info('Waiting for management interface to restart')
        time.sleep(3)
        httpd_config = self.get_httpd_config()

        if os.path.basename(httpd_config['sslCertfile']) == cert_name \
                and os.path.basename(httpd_config['sslCertkeyfile']) == key_name:
            print('Certificate has been updated and the httpd interface is responding')
        else:
            raise Exception('Failed to update the certificate')

 

 

Thank you for the suggestions and tips Dario_Garrido . Definitely helped me find the solution!