howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [26/02/2022 13:01] – [Configuration] domingo | howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [05/08/2022 13:33] – [Configuration] domingo | ||
---|---|---|---|
Line 6: | Line 6: | ||
All provisioning and deployment of the certificates are done via the API on the Big-IP to make it as location agnostic as possible. | All provisioning and deployment of the certificates are done via the API on the Big-IP to make it as location agnostic as possible. | ||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | //Update 05-08-2022:// | ||
+ | It would seem like that using basic authentication is putting extra stress on the BigIP and it could fail to complete the requests. | ||
+ | |||
+ | You can find some of the errors you might see here, all worked around using tokens: | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | If you are using external authentication you must use token based authentication as it is the only one supported: | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ---- | ||
===== Requirements ===== | ===== Requirements ===== | ||
Line 44: | Line 64: | ||
* KEY_ALGO=rsa | * KEY_ALGO=rsa | ||
* CONTACT_EMAIL=someone@example.com | * CONTACT_EMAIL=someone@example.com | ||
+ | * PREFERRED_CHAIN=" | ||
+ | |||
+ | I had to specify the " | ||
I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well. | I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well. | ||
Line 54: | Line 77: | ||
You need to set these to fit your environment. I recommend that you setup your F5 HA configuration to automatic sync, so when new certificates gets installed they are automatically sync between the units. | You need to set these to fit your environment. I recommend that you setup your F5 HA configuration to automatic sync, so when new certificates gets installed they are automatically sync between the units. | ||
+ | |||
+ | ---- | ||
+ | //Update 05-08-2022:// | ||
+ | |||
+ | You will see that two new variables has emerged, " | ||
+ | |||
+ | The " | ||
+ | |||
+ | ---- | ||
+ | |||
=== F5 === | === F5 === | ||
- | When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on to it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview | + | When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on to it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview |
Some day I might make the this configuration part of the hook script but for now you will need to install the certificate bundle " | Some day I might make the this configuration part of the hook script but for now you will need to install the certificate bundle " | ||
Line 84: | Line 117: | ||
If all goes well you should end up with a set of certificates and client ssl profiles called " | If all goes well you should end up with a set of certificates and client ssl profiles called " | ||
- | Note that the script only maintains the certificates and profiles, you still need to assign them to the actual virtual servers. | + | Note that the script only maintains the certificates and profiles, you still need to assign them to the actual virtual servers |
howtos/let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api.txt · Last modified: 05/08/2022 13:57 by domingo