Lnxgeek.org Wiki - Freedom of choice, I choose Freedom

User Tools

Site Tools

You are here: start » howtos » let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api
howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [26/02/2022 12:58] – [Configuration] domingohowtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [27/02/2022 17:23] – [Configuration] domingo
Line 44: Line 44:
   * KEY_ALGO=rsa   * KEY_ALGO=rsa
   * CONTACT_EMAIL=someone@example.com   * CONTACT_EMAIL=someone@example.com
 +  * PREFERRED_CHAIN="ISRG Root X1"
 +
 +I had to specify the "PREFERRED_CHAIN" variable due to some Android quirks and the expired "DST Root CA X3" root. For a more detailed explanation look here [[https://ikarus.sg/lets-encrypt-dot-android/|Let's Encrypt and DNS over TLS Hell on Android]]
  
 I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well. I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well.
Line 56: Line 59:
  
 === F5 === === F5 ===
-When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview :-D+When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on to it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview :-D
  
-Some day I might make the this configuration part of the hook script but for now you will need to install the certificate bundle "R3_LE_2025" (and call it that when you import it). You will find it in the zip file at the bottom of the page.+Some day I might make the this configuration part of the hook script but for now you will need to install the certificate bundle "R3_LE_2025" (and call it that when you import it or change the name in the hook script). You will find it in the zip file at the bottom of the page.
 Also, you need to configure an OCSP object with these settings: Also, you need to configure an OCSP object with these settings:
 <file> <file>
Line 84: Line 87:
 If all goes well you should end up with a set of certificates and client ssl profiles called "auto_<domain>" on your Big-IP installation. If all goes well you should end up with a set of certificates and client ssl profiles called "auto_<domain>" on your Big-IP installation.
  
-Note that the script only maintains the certificates and profiles, you still need to assign them to the actual virtual servers.+Note that the script only maintains the certificates and profiles, you still need to assign them to the actual virtual servers to put them into effect.
  
  
howtos/let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api.txt · Last modified: 05/08/2022 13:57 by domingo