Forum Discussion

Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Sep 11, 2024

Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?

Currently, I'm having to manually update certs on our F5 and I'm wondering what other people are using to automate this. We use Sectigo which supports the Certbot F5 plugin, but a fellow tech that tested it said it doesn't work when a vserver has more than one SSL profile assigned.

 

Is anyone using the Certbot tool? If not, what tool are you using? I like to be able to automate this (and be confident it "just works").

 

Thanks!

automation
certificates
devops
  • TimRiker's avatar
    TimRiker
    Sep 11, 2024

    We're not yet in production with this. Testing certbot with patches from here:

    https://github.com/timriker/certbot

    and the bigip module to deploy from here:

    https://github.com/open-networks/certbot-bigip

    I'm looking for a system that will request certs using dns rfc 2136

    https://datatracker.ietf.org/doc/html/rfc2136

    and then push to multiple f5s to get region redundancy.

    Unfortunately there are issues. certbot does NOT handle CNAME entries in it's rfc-2136 support. We want this setup:

    • _acme-challenge.example.net CNAME example.net._tls.example.com
    • _acme-challenge.example.net CNAME example.net._tls.example.com
    • _acme-challenge.example.org CNAME example.net._tls.example.com

     

    zone _tls.example.com only has NS records pointing to locally hosted NS servers and is NOT replicated to DNS secondaries. TTL is set very low (300 seconds).

    certbot out of the box documents this type of CNAME setup, but does NOT implement it in the rfc2136 module. My fork has this updated from hpa's original patch.

    the existing certbot-bigip creates multiple certs on the f5s for SAN certs. This means a "wildcard" cert creates both of these:

    • example_org_Letsencrypt
    • wildcard_example_org_Letsencrypt

     

    where BOTH of these certs are the same cert supporting both names. This is a Bad Thing. the first would be enough. Also, we strongly prefer lowercase names, so "L"etsencrypt is a Bad Name. Also, rfc2136 can be used for multiple providers, not just letsencrypt. I'd prefer and uploaded cert with this naming:

    auto_example.org

    Let's Encrypt should support multiple wildcards in the same cert. So potentially I could have one cert covering:

    • example.com
    • *.example.com
    • example.net
    • *.example.net
    • example.org
    • *.example.org

     

    which would all be contained in a cert called auto_example.com

  • Aswin_mk's avatar
    Aswin_mk
    Icon for Cumulonimbus rankCumulonimbus
    Sep 11, 2024

    Not using it and we are using keyfactor orchestrator for cert automation using rest api. Setigo aswell possible to integrate with KF

  • TimRiker's avatar
    TimRiker
    Icon for Cirrocumulus rankCirrocumulus
    Sep 11, 2024

    We're not yet in production with this. Testing certbot with patches from here:

    https://github.com/timriker/certbot

    and the bigip module to deploy from here:

    https://github.com/open-networks/certbot-bigip

    I'm looking for a system that will request certs using dns rfc 2136

    https://datatracker.ietf.org/doc/html/rfc2136

    and then push to multiple f5s to get region redundancy.

    Unfortunately there are issues. certbot does NOT handle CNAME entries in it's rfc-2136 support. We want this setup:

    • _acme-challenge.example.net CNAME example.net._tls.example.com
    • _acme-challenge.example.net CNAME example.net._tls.example.com
    • _acme-challenge.example.org CNAME example.net._tls.example.com

     

    zone _tls.example.com only has NS records pointing to locally hosted NS servers and is NOT replicated to DNS secondaries. TTL is set very low (300 seconds).

    certbot out of the box documents this type of CNAME setup, but does NOT implement it in the rfc2136 module. My fork has this updated from hpa's original patch.

    the existing certbot-bigip creates multiple certs on the f5s for SAN certs. This means a "wildcard" cert creates both of these:

    • example_org_Letsencrypt
    • wildcard_example_org_Letsencrypt

     

    where BOTH of these certs are the same cert supporting both names. This is a Bad Thing. the first would be enough. Also, we strongly prefer lowercase names, so "L"etsencrypt is a Bad Name. Also, rfc2136 can be used for multiple providers, not just letsencrypt. I'd prefer and uploaded cert with this naming:

    auto_example.org

    Let's Encrypt should support multiple wildcards in the same cert. So potentially I could have one cert covering:

    • example.com
    • *.example.com
    • example.net
    • *.example.net
    • example.org
    • *.example.org

     

    which would all be contained in a cert called auto_example.com