Create a CSR and Key using the BigIP LTM GUI when renewing a certificate
Hi, I use the F5 Bigip LTM to create CSR's and Keys. I submit the CSR to our public CA to obtain the Certificate and then import the generated certificate to the F5. I use the F5 Certificate Management GUI as a database for all of our Public Certificates (as they are all in use in our SSL profiles). All this is good, however after 13 months when it is time to renew the certificate, I use the F5 GUI to renew the CSR. The problem is that the GUI does not allow me to create a new key when using the "Renew" option. I could use other command line tools for this, but it would be easier to manage in the F5 GUI. Does anyone know if there is a way to renew a certificate from the F5 GUI and have it create a new Key? For example click on "System / Certificate Management". Then click on a Public CA Certificate and click "Renew". Fill out the required fields and have it generate a new key. Any advice is appreciated.83Views0likes1CommentBIGIP device certificate - Ansible Error
Hi, I am trying to use bigip Ansible module for managing self-signed device certificates `bigip_device_certificate` Here is the snippet of task: - name: Device HTTPs certificate bigip_device_certificate: cert_name: "server.crt" key_name: "server.key" days_valid: 365 key_size: 4096 force: no new_cert: no issuer: country: "{{ device_cert.issuer_country }}" state: "{{ device_cert.issuer_state }}" organization: "{{ device_cert.issuer_org }}" division: "{{ device_cert.issuer_division }}" email: "{{ device_cert.issuer_email }}" locality: "{{ device_cert.issuer_locality }}" common_name: "{{ device_cert.common_name }}" provider: server: "{{ ansible_host }}" user: "{{ bigip_username }}" password: "{{ bigip_password }}" transport: cli server_port: 22 ssh_keyfile: ~/.ssh/id_rsa delegate_to: localhost So, the certificate on bigip isn't expired. But, for some reason, the above task fails for one of the devices (have two - worked on 1 of them) with below error: "/tmp/ansible_bigip_device_certificate_payload_lazf97h6/ansible_bigip_device_certificate_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_certificate.py\", line 452, in expired\nTypeError: '>' not supported between instances of 'int' and 'NoneType'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 } I tried toggling the values for `force` and `new_cert` without any success. As per the error , seems something fails at `bigip_device_certificate.py` line 452. Below is the snippet of function around it: def expired(self): self.have = self.read_current_certificate() current_epoch = int(datetime.now().timestamp()) if current_epoch > self.have.epoch: return True return False Any ideas?396Views0likes0CommentsHow to deploy certificates with BIG-IQ
I'm wondering how I can create/import certificates (mainly ca bundles) on the BIG-IQ and deploy them to several or all of my BIG-IPs? Under "Configuration" I imported a CA bundle and it will be displayed as "Managed Certificate". But under "Evaluate & Deploy -> Local Traffic & Network" I can choose either: Partial Change: I can select the new certificate, but NO BIG-IP devices can be selected All Changes: Here I can select the BIG-IP devices I want, but the newly created certificate will NOT be displayed as configuration change Is this normal behavior, because just a certificate is not a "real" configuration item? How can I avieve this? Thank you! Regards Stefan 🙂Solved1.5KViews0likes3CommentsAn invalid or expired certificate was presented by the server
Hi Guys! So we are building a per-app VPN setup using Intune för iOS (iPADOS) units and we pushed out F5 Access app along with Intune F5 Access App which is then configured using F5 Access VPN profile using authentication with certificate which is pushed out to the device from internal CA using connector. Certificates for device is installed fine along side with root and intermediate, the profile in F5 Access app has all the settings correct and the certificate is listed. On server side we also configured everything with access policy for iOS, we have added certificate for root and intermediate for trust and everything looks as it should but we seem to have missed something and are unable to initiate a VPN connection, the device attempts to start a VPN tunnel but failes to do so with error "An invalid or expired certificate was presented by the server" What are we missing? Something with the ceritficates? a setting on device? something on server we missed adding the trust? 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:435, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:436, startTunnel(options:completionHandler:), Release Version: 3.0.7 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:437, startTunnel(options:completionHandler:), Bundle Version: 3.0.7.402 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:438, startTunnel(options:completionHandler:), Build Date: Mon Sep9 12:13:19 PDT 2019 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:439, startTunnel(options:completionHandler:), Build Type: CM 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:440, startTunnel(options:completionHandler:), Changelist: 3134102 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:441, startTunnel(options:completionHandler:), Locale: English (Sweden) 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:442, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:117, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:451, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://ourserver.adress.com, password: , ignorePassword: false, passwordExpirationTimeStamp: -1, passwordReference: not-set, passwordExpired: false, identityReference: set, postLaunchUrl: , webLogon: false, launchedByUriScheme: false, vpnScope: device, startType: manual, deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2021-05-11,15:36:54:229, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, AsyncURLRequest.swift:186, urlSession(_:didReceive:completionHandler:), Server certificate can not be trusted. 2021-05-11,15:36:54:233, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, ProfileDownloadOperation.swift:94, main(), Profile download failed: sslInvalidServerCertificate 2021-05-11,15:36:54:236, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, SessionManager.swift:127, logon(connectionParams:completionHandler:), Failed to download Profile Settings...Error:sslInvalidServerCertificate 2021-05-11,15:36:54:237, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:527, startTunnel(options:completionHandler:), Failed to logon Error Domain=f5PacketTunnelProvider Code=0 "An invalid or expired certificate was presented by the server" UserInfo={NSLocalizedFailureReason=Error Domain=PacketTunnel.AsyncURLRequestError Code=5 "An invalid or expired certificate was presented by the server", NSLocalizedDescription=An invalid or expired certificate was presented by the server} 2021-05-11,15:36:54:238, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:383, displayMessageIfUIVisible, An invalid or expired certificate was presented by the server Any thoughts be much appreciated! Thanks in advance Alex1.5KViews0likes1CommentSomehow corrupt SSL-files
Hi there, we have some strange behavior with some of our uploaded SSL-files (under System->File Management->SSL Certificate List). They will be correctly displayed on the overview list page, but if you click on it, the Certificate-tab shows "No certificate". And if you then click on the Key-tab, it just displays the error: "An error has occured while trying to process your request." If I check the filestore folder, I can see the corresponding entries in the certificate_d and certificate_key_d subfolder. Deleting these entries is also not possible. Here I get the error: "01020036:3: The requested Certificate File (/<partition-name>/<certificate-name>.crt) was not found." What's the reason for this? Is there any other reference to these configuration objects, other than in the bigip.conf file? How can I fix/delete these files manually? Fyi: this is running on 12.1.5.2 Thank you! Ciao Stefan :)567Views0likes2Commentstmsh command (displaying multiple select properties rather than all of them)
I'm displaying my cert profiles using tmsh and am wondering what the syntax is if I want to display more than one property at a time , rather than use "all-properties". Example: Combine the output of these two commands: tmsh list ltm profile client-ssl ciphers tmsh list ltm profile client-ssl options Thanks!324Views0likes1CommentSelect clientssl profile based on uri pattern
Hello everyone, I need some help with this scenario. I've found similar questions and suggestions from devcentral memebers but I'm stuck and haven't been able to come up with a solution. I have an API Management solution published through a single Virtual Server in my BigIP. There are several API's present on this solution and I would like to enforce client authentication with SSL\TLS certificates, but requiring a specific certificate depending on which API they will be requesting. In other words, if I have a single VS where I if the request is to: myapidomain.com/api-companyA, then I want to request the client certificate of Company A if the request is to: myapidomain.com/api-companyB, , then I want to request the client certificate of Company B if the request is to: myapidomain.com/general-public-api, then I don't want to use client authentication, just present the server certificate I think that it all comes down to choosing a different clientssl profile based on the uri pattern, but: I can only inspect the http request after the TLS negotation has been completed using the default ssl profile of the VS I cannot use the command to change the ssl profile inside the HTTP REQUEST event I have seen some related questions where they suggest to do something like this. But they are changing the current ssl profile to request client authentication, instead of changing the ssl profile. For testing purposes, I have setup two client ssl profiles, each of them requiring client authentication but using different self signed certificates. when HTTP_REQUEST { switch -glob [HTTP::path] { "/api-companyA" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate // Another post suggested using SSL::profile here to change the profile, but it is not allowed inside HTTP REQUEST } "/api-companyB" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } Would it be possible to use a flag variable for this? For example, start with a default value, change it within the HTTP_REQUEST event based on the URI, force an SSL\TLS renegotiation and then in a CLIENT_ACCEPTED event use the value of that variable to set the profile? I tried something like this but it seems that the CLIENT_ACCEPTED method does not fire after the SSL::renegotiate command is issued. when RULE_INIT { set ::count 0 } when CLIENT_ACCEPTED { if{$::count == 1} { SSL::profile profile_with_client_authentication_companyA } } when HTTP_REQUEST { switch -glob [HTTP::path] { "/supervielledev/public-partners/myloopbackapi" { set ::count 1 SSL::renegotiate } "/supervielledev/public-partners/myotherloopbackapi" { set ::count 2 SSL::renegotiate } } } Thanks in advance.655Views0likes1CommentDoes server ssl profile check a web-server certificate validity ?
Hi :) I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate. I have a full proxy, client side works properly and server side also with default serverssl profile. But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure"). In server ssl profile we configure this options: Server Certificate: Require Untrusted Certificate Response Control: Drop The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle. We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also. How we can accomplish this goal ? Thanks, Eric535Views0likes7Comments