Lnxgeek.org Wiki - Freedom of choice, I choose Freedom

User Tools

Site Tools

You are here: start » howtos » let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api
howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [26/02/2022 13:02] – [Installation] domingohowtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [05/08/2022 13:17] – [Let's Encrypt with Cloudflare DNS and F5 REST API] domingo
Line 6: Line 6:
  
 All provisioning and deployment of the certificates are done via the API on the Big-IP to make it as location agnostic as possible.  All provisioning and deployment of the certificates are done via the API on the Big-IP to make it as location agnostic as possible. 
 +
 +
 +----
 +
 +//Update 05-08-2022:// After some interesting customer cases I implemented the option to use token authentication instead of basic authentication. Token is now default in the hook script.
 +It would seem like that using basic authentication is putting extra stress on the BigIP and it could fail to complete the requests.
 +
 +You can find some of the errors you might see here, all worked around using tokens:
 +
 +[[https://cdn.f5.com/product/bugtracker/ID1025513.html|Bug ID 1025513: PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog]]
 +
 +[[https://cdn.f5.com/product/bugtracker/ID1035661.html|Bug ID 1035661: REST Requests return 401 Unauthorized when using Basic Auth]]
 +
 +[[https://cdn.f5.com/product/bugtracker/ID1010341.html|Bug ID 1010341: Slower REST calls after update for CVE-2021-22986]]
 +
 +If you are using external authentication you must use token based authentication as it is the only one supported:
 +
 +[[https://support.f5.com/csp/article/K15234904|K15234904: Basic or Token Auth for a successful F5 REST API call?]]
 +
 +----
  
 ===== Requirements ===== ===== Requirements =====
Line 44: Line 64:
   * KEY_ALGO=rsa   * KEY_ALGO=rsa
   * CONTACT_EMAIL=someone@example.com   * CONTACT_EMAIL=someone@example.com
 +  * PREFERRED_CHAIN="ISRG Root X1"
 +
 +I had to specify the "PREFERRED_CHAIN" variable due to some Android quirks and the expired "DST Root CA X3" root. For a more detailed explanation look here [[https://ikarus.sg/lets-encrypt-dot-android/|Let's Encrypt and DNS over TLS Hell on Android]]
  
 I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well. I have to use RSA certificates due to some SNI limitations in the F5 configuration. If you want to run EC certificates the script works just as well.
howtos/let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api.txt · Last modified: 05/08/2022 13:57 by domingo