ACME DNS RFC-2136 Let's Encrypt certs
I've been pushing on certbot to handle CNAME entries when ordering certs, and finally given up. https://github.com/certbot/certbot/issues/6787 https://github.com/certbot/certbot/pull/9970 https://github.com/certbot/certbot/pull/7244 This repo contains scripts that: Create an ACME account with Let's Encrypt use TSIG credentials to talk to bind (RFC-2136) create TXT record in correct zone by following CNAME and SOA entries if present downloads certs installs certs on one or more F5s. The F5 credentials requires Administrator rights as Certificate Manager can't upload files. https://github.com/timriker/certmgr CNAME records are recommended to a zone with minimal or no replication and a low TTL. ie: _acme-challenge.example.com CNAME example.com._tls.example.com _acme-challenge.example.net CNAME example.net._tls.example.com _tls.example.com would have one name server and 30 second TTL or so a TSIG key would be created that only needs update access to _tls.example.com Comments welcome. JRahm I'm looking at you. 😎 More info: https://letsencrypt.org/docs/challenge-types/
Run mkdir over iControl REST for disappearing /var/config/rest/downloads/tmp
Hello, I am currently writing the code for automating our ssl cert deployment among other things. I upload files to the Bigip device to shared/file-transfer/uploads/ This only works when the directory /var/config/rest/downloads/tmp exists. I noticed this periodically is removed again. Is there a way I can run an mkdir over REST to fix this? Regards
Remote Logging of Log Files
I've configured F5 Big IP to send logs to a remote location. However it sends several messages. I know it is possible to configure log levels from 'Options' (critical, emergency, etc.) What I want to learn that, is it possible to configure remote logging such that sends only LTM logs (I mean logs written to /var/log/ltm file, only)?
BIGIP system can't access internet with proxy
Hi, I'm trying to configure a LTM cluster to access internet through a proxy. The goal is to re-activate licence in automatic mode. I tried to configure the proxy parameters with this SOL: "Optional: If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables. Type tmsh modify sys db proxy.host value hostname to specify the host name of the proxy server. Type tmsh modify sys db proxy.port value port_number to specify the port number of the proxy server." But when I click on reactivate licence I have a timeout. If anyone had a solution. Thanks
Which attack signature sets does contain others?
My application is running on Apache Tomcat and there is one signature set with such name. Of course, I enabled it. The question is should I also enable sets referred to e.g. Apache, Java Servlets? Or maybe required signatures are containing in Apache Tomcat set already?Network interface naming convention
I know that the naming convention that applies to network interfaces is s.p where s is the slot and p is the port, as in 1.1. When I check my Viprion I see thinks like 1/1.1 and 2/1.1 so I'd say that the naming convention in this case would be b/s.p where b is blade and it seems that slot is always 1 for each blade. Knowing all this I check now the network interfaces in my vCMP guests and I see thinks like 1/0.3, 1/0.4, 1/0.5 and 1/0.6 in one of the guests and 1/0.7, 1/0.8, 1/0.9 and 1/0.10 And I wonder, which is the naming convention for a vCMP system? It seems that ports 3,4,5,6 are assigned to first guest and 7,8,9,10 to the second one. Are port numbers 1 and 2 then reserved ports in any way? Why there are 4 ports? (has it something to do with the number of cores assigned to the guest? I'm trying to understand all this, and I'm not finding documentation about this subjects :(
FIPS Errors
Hi I am seeing the following error being logged: iControlPortal.cgi[14845]: Checking for FIPS card.. FIPS open failed The device itself does not have FIPS installed: root@(device01)(cfg-sync Standalone)(Active)(/Common)(tmos) fips-util No supported FIPS device found How do I stop these errors from being generated?
