INFORM: Entrust CA will be untrusted in Chrome after Oct 31, 2024
If you manage certs from Entrust in your environment, this will impact your Google Chrome users, so intermediate certs will likely need to be bundled to handle this in your clientssl profiles OR if you control all the clients you can assure that explicit trust in the clients is enabled for Entrust CAs. Google details on the situation
Unable to login with Certificate Manager local user
I've created a local user account with the Certificate Manager role on All partitions - and have enabled tmsh access. However, when I attempt to login with this account - either GUI or SSH - I am receiving a login failed message. We don't have any password enforcement in place and access restrictions are tied to the RFC1918 address space, so that is not coming into play. We have remote auth (TACACS) enabled with fallback to local and other local accounts are able to login successfully. Thoughts? Version: 17.1.1.2 Username - cert-mgr Role - Certificate Manager Partition: All Terminal Access: tmsh Wed Sep 11 10:51:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 10:51:18 2024" end="Wed Sep 11 10:51:20 2024").: Wed Sep 11 11:00:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 11:00:18 2024" end="Wed Sep 11 11:00:20 2024").:
Create a CSR and Key using the BigIP LTM GUI when renewing a certificate
Hi, I use the F5 Bigip LTM to create CSR's and Keys. I submit the CSR to our public CA to obtain the Certificate and then import the generated certificate to the F5. I use the F5 Certificate Management GUI as a database for all of our Public Certificates (as they are all in use in our SSL profiles). All this is good, however after 13 months when it is time to renew the certificate, I use the F5 GUI to renew the CSR. The problem is that the GUI does not allow me to create a new key when using the "Renew" option. I could use other command line tools for this, but it would be easier to manage in the F5 GUI. Does anyone know if there is a way to renew a certificate from the F5 GUI and have it create a new Key? For example click on "System / Certificate Management". Then click on a Public CA Certificate and click "Renew". Fill out the required fields and have it generate a new key. Any advice is appreciated.
BIGIP device certificate - Ansible Error
Hi, I am trying to use bigip Ansible module for managing self-signed device certificates `bigip_device_certificate` Here is the snippet of task: - name: Device HTTPs certificate bigip_device_certificate: cert_name: "server.crt" key_name: "server.key" days_valid: 365 key_size: 4096 force: no new_cert: no issuer: country: "{{ device_cert.issuer_country }}" state: "{{ device_cert.issuer_state }}" organization: "{{ device_cert.issuer_org }}" division: "{{ device_cert.issuer_division }}" email: "{{ device_cert.issuer_email }}" locality: "{{ device_cert.issuer_locality }}" common_name: "{{ device_cert.common_name }}" provider: server: "{{ ansible_host }}" user: "{{ bigip_username }}" password: "{{ bigip_password }}" transport: cli server_port: 22 ssh_keyfile: ~/.ssh/id_rsa delegate_to: localhost So, the certificate on bigip isn't expired. But, for some reason, the above task fails for one of the devices (have two - worked on 1 of them) with below error: "/tmp/ansible_bigip_device_certificate_payload_lazf97h6/ansible_bigip_device_certificate_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_certificate.py\", line 452, in expired\nTypeError: '>' not supported between instances of 'int' and 'NoneType'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 } I tried toggling the values for `force` and `new_cert` without any success. As per the error , seems something fails at `bigip_device_certificate.py` line 452. Below is the snippet of function around it: def expired(self): self.have = self.read_current_certificate() current_epoch = int(datetime.now().timestamp()) if current_epoch > self.have.epoch: return True return False Any ideas?An invalid or expired certificate was presented by the server
Hi Guys! So we are building a per-app VPN setup using Intune för iOS (iPADOS) units and we pushed out F5 Access app along with Intune F5 Access App which is then configured using F5 Access VPN profile using authentication with certificate which is pushed out to the device from internal CA using connector. Certificates for device is installed fine along side with root and intermediate, the profile in F5 Access app has all the settings correct and the certificate is listed. On server side we also configured everything with access policy for iOS, we have added certificate for root and intermediate for trust and everything looks as it should but we seem to have missed something and are unable to initiate a VPN connection, the device attempts to start a VPN tunnel but failes to do so with error "An invalid or expired certificate was presented by the server" What are we missing? Something with the ceritficates? a setting on device? something on server we missed adding the trust? 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:435, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:436, startTunnel(options:completionHandler:), Release Version: 3.0.7 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:437, startTunnel(options:completionHandler:), Bundle Version: 3.0.7.402 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:438, startTunnel(options:completionHandler:), Build Date: Mon Sep9 12:13:19 PDT 2019 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:439, startTunnel(options:completionHandler:), Build Type: CM 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:440, startTunnel(options:completionHandler:), Changelist: 3134102 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:441, startTunnel(options:completionHandler:), Locale: English (Sweden) 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:442, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:117, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:451, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://ourserver.adress.com, password: , ignorePassword: false, passwordExpirationTimeStamp: -1, passwordReference: not-set, passwordExpired: false, identityReference: set, postLaunchUrl: , webLogon: false, launchedByUriScheme: false, vpnScope: device, startType: manual, deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2021-05-11,15:36:54:229, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, AsyncURLRequest.swift:186, urlSession(_:didReceive:completionHandler:), Server certificate can not be trusted. 2021-05-11,15:36:54:233, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, ProfileDownloadOperation.swift:94, main(), Profile download failed: sslInvalidServerCertificate 2021-05-11,15:36:54:236, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, SessionManager.swift:127, logon(connectionParams:completionHandler:), Failed to download Profile Settings...Error:sslInvalidServerCertificate 2021-05-11,15:36:54:237, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:527, startTunnel(options:completionHandler:), Failed to logon Error Domain=f5PacketTunnelProvider Code=0 "An invalid or expired certificate was presented by the server" UserInfo={NSLocalizedFailureReason=Error Domain=PacketTunnel.AsyncURLRequestError Code=5 "An invalid or expired certificate was presented by the server", NSLocalizedDescription=An invalid or expired certificate was presented by the server} 2021-05-11,15:36:54:238, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:383, displayMessageIfUIVisible, An invalid or expired certificate was presented by the server Any thoughts be much appreciated! Thanks in advance AlexGet all certificates and their virtual servers and SSL profiles via API calls
Problem this snippet solves: Summary F5 will give you a decent report of all your certificates and their expiration dates. However I have not found a way to pull what Virtual Server or SSL Profile the certificates are applied to (or if they are used at all). What this code does is grabs all the virtual servers, all SSL profiles, and all certificates. Then it loops through them to find where a certificate is applied. Then it returns the certificate and virtual server info. I wrote this in C# but the logic can be used anywhere as the API calls are independent of language. How to use this snippet: You will need some way to compile C#. Easiest way is to use Visual Studio. Simply add your API credentials and IP addresses and run the code through a C# compiler. Code : https://github.com/matthewwedlow/F5_Scripts/blob/master/GetCerts.cs
