Let's Encrypt with Cloudflare DNS and F5 REST API
Hi all This is a followup on the now very old Let's Encrypt on a Big-IP article. It has served me, and others, well but is kind of locked to a specific environment and doesn't scale well. I have been going around it for some time but couldn't find the courage (aka time) to get started. However, due to some changes to my DNS provider (they were aquired and shut down) I finally took the plunges and moved my domains to a provider with an API and that gave me the opportunity to make a more nimble solution. To make things simple I chose Cloudflare as the community proliferation is enormous and it is easy to find examples and tools. I though think that choosing another provide with an open API isn't such a big deal. After playing around with different tools I realized that I didn't need them as it ended up being much easier to just use curl. So, if the other providers have just a somewhat close resemblance it shouldn't be such a big task converting the scripts to fit. There might be finer and more advanced solutions out there, but my goal was that I needed a solution that had as few dependencies as possible and if I could make that only Bash and Curl it would be perfect. And that is what I ended up with š Just put 5 files in the same directory, adjust the config to your environment, and BAM you're good to go!!š» And if you need to run it somewhere else just copy the directory over and continue like nothing was changed. That is what I call portability š Find all the details here: Let's Encrypt with Cloudflare DNS and F5 REST API Please just drop me a line if you have any questions or feedback or find any bugs.
F5 BIGIP LetsEncrypt does not match the certificate
F5 BIG-IP 15.1.6.1 Estoy implementando en un F5 el manejo de certificados SSL de LetsEncrypt, encontre informacion aqui https://github.com/steveh565/f5-letsencrypt-http El tema es que me crea certificados pero muestra The issuer certificate (/Common/letsencrypt_full_chain.crt) does not match the certificate (/Common/patito.info_2022-10-07 Alguien a podido solucionar esto? Agradezco cualquier apoyo o tip.
Failure creating certificate acme challenge 404 error in BIG-IP F5 WAF
We have more than 600 government websites behind the BIG-IP system. We have done almost 60% of certificates created and offloaded. Suddenly we couldn't create any certificate and got the below error. This error not only for one website. Now we can't renew or create a new certificate. We use fanceg/letsencrypt -in GitHub to integrates Let's Encrypt with BigIP ( GitHub - fanceg/letsencrypt-bigip). INFO: Using main config file /etc/dehydrated/configProcessing verugal.ds.gov.lk Signing domains... Generating private key... Generating signing request... Requesting new certificate order from CA... Received 1 authorizations URLs from the CA Handling authorization for verugal.ds.gov.lk 1 pending challenge(s) Deploying challenge tokens... Responding to challenge for verugal.ds.gov.lk authorization... Cleaning challenge tokens... Challenge validation has failed : ( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404" ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404","status":403} ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995442889/eoq1dQ" ["token"] "CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE" ["validationRecord",0,"url"] "http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1" ["validationRecord",0,"hostname"] "verugal.ds.gov.lk" ["validationRecord",0,"port"] "80" ["validationRecord",0,"addressesResolved",0] "43.224.124.166" ["validationRecord",0,"addressesResolved"] ["43.224.124.166"] ["validationRecord",0,"addressUsed"] "43.224.124.166" ["validationRecord",0] {"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"} ["validationRecord"] [{"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}] ["validated"] "2021-05-10T04:46:36Z") Processing vrc.bopepoddala.ds.gov.lk Signing domains... Generating private key... Generating signing request... Requesting new certificate order from CA... Received 1 authorizations URLs from the CA Handling authorization for vrc.bopepoddala.ds.gov.lk 1 pending challenge(s) Deploying challenge tokens... Responding to challenge for vrc.bopepoddala.ds.gov.lk authorization... Cleaning challenge tokens... Challenge validation has failed : ( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y [43.224.124.166]: 404" ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y [43.224.124.166]: 404","status":403} ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995448812/pq_1KA" ["token"] "v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y" ["validationRecord",0,"url"] "http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y" ["validationRecord",0,"hostname"] "vrc.bopepoddala.ds.gov.lk" ["validationRecord",0,"port"] "80" ["validationRecord",0,"addressesResolved",0] "43.224.124.166" ["validationRecord",0,"addressesResolved"] ["43.224.124.166"] ["validationRecord",0,"addressUsed"] "43.224.124.166" ["validationRecord",0] {"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"} ["validationRecord"] [{"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}] ["validated"] "2021-05-10T04:46:58Z") Can anyone help me out with this issue? Are there any process changes or updates in letsencrypt site or BIG-IP intigrations? Due to this lots of government websites affected!
Weird problem with Letsencrypt and SNI
Hello, Im facing a problem with a VIP which has more than 1 certificate, Im adding an SNI certificate , and then another certificates which has been made by letsencrypt script for f5. if client visit example.com the certificate loads well. if client visit it loads the default sni certificate.. in the certificate san it has both www and non-www certificate. What could cause such issue? anyone else has faced this problem? Thanks!
