Differences

This shows you the differences between two versions of the page.

--- howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [27/02/2022 17:23] – [Configuration] domingo
+++ howtos:let_s_encrypt_-_how_to_issue_certificates_with_cloudflare_dns_and_f5_rest_api [05/08/2022 13:33] – [Configuration] domingo
@@ Line 6: / Line 6: @@
 All provisioning and deployment of the certificates are done via the API on the Big-IP to make it as location agnostic as possible.
+----
+//Update 05-08-2022:// After some interesting customer cases I implemented the option to use token authentication instead of basic authentication. Token is now default in the hook script.
+It would seem like that using basic authentication is putting extra stress on the BigIP and it could fail to complete the requests.
+You can find some of the errors you might see here, all worked around using tokens:
+[[https://cdn.f5.com/product/bugtracker/ID1025513.html|Bug ID 1025513: PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog]]
+[[https://cdn.f5.com/product/bugtracker/ID1035661.html|Bug ID 1035661: REST Requests return 401 Unauthorized when using Basic Auth]]
+[[https://cdn.f5.com/product/bugtracker/ID1010341.html|Bug ID 1010341: Slower REST calls after update for CVE-2021-22986]]
+If you are using external authentication you must use token based authentication as it is the only one supported:
+[[https://support.f5.com/csp/article/K15234904|K15234904: Basic or Token Auth for a successful F5 REST API call?]]
+----
 ===== Requirements =====
@@ Line 57: / Line 77: @@
 You need to set these to fit your environment. I recommend that you setup your F5 HA configuration to automatic sync, so when new certificates gets installed they are automatically sync between the units.
+----
+//Update 05-08-2022:// I have changed the "F5_AUTH" parameter a bit to enable support for token based authentication.
+You will see that two new variables has emerged, "username" and "pwd". This is to be able to use the account information in both basic- and token authentication, as token based uses them in the json body, so we need be able to then in different constructs.
+The "F5_AUTH" variable is now constructed as a complete "flag value-pair" to be inserted agnosticly in all the curl commands. It required some trixing as curl doesn't like having the flag in the variable. After some googling I found that by creating the variable as an array it all came together. That is why you see the variable used like this: "${F5_AUTH[@]}"
+----
 === F5 ===
-When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on to it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview :-D
+When the hook script deploys the certificates to the Big-IP it will apply an OCSP configuration on to it. This is to make OCSP stapling possible and it gives the certificates a nice green satisfying dot in the overview ^_^
 Some day I might make the this configuration part of the hook script but for now you will need to install the certificate bundle "R3_LE_2025" (and call it that when you import it or change the name in the hook script). You will find it in the zip file at the bottom of the page.