Forum Discussion

Greg_Jewett's avatar
Greg_Jewett
Icon for Cirrus rankCirrus
Jul 30, 2024

AS3 w/ certificates and renewals..

So, I found myself in a little bit of a quandary with the use AS3 declarations to deploy our F5 configurations for our services.   So to create a virtual server with SSL certificate and profiles, an...
AS3
certificate
devops
ssl
  • Greg_Jewett's avatar
    Greg_Jewett
    Aug 07, 2024

    I appreciate the response.   We have already made an extensive investment in AS3, so we are not backing out of that.  For the new setup, we are forgoing the Python script that we used in the past to renew certificates - due to it breaking the source of truth of AS3.

    So I have some ideas, and we do have the Ansible Automation Platform (AAP), so I think we will be writing a playbook that will basically do the following:

    1. Use a home-made python based AAP plugin that will scan all the files in our GitHub repository.  It will return a list of files that have expired certificates within, based on a threshold date. 
    2. Read in each file into a JSON variable, this would be the entire declaration.  I am doing this, so it will be easy to literally pull out the certificate(s) into a separate variable using JSON/YAML references. 
    3. Pull out the Common Name and any SANs from the existing certificate.
    4. Generate a new CSR / private key based on info above.
    5. Using ACME, generate a new certificate.
    6. Insert the certificate and new key into the JSON/YAML structure (again using the references, using an assignment).
    7. Write out the JSON/YAML structure to a file, and upload up to Github, replace what exists (new version, and all).
    8. Do a push and pull request (all automated).
    9. Then run the two plays I have that fetch the declaration from GitHub and deploy it (thus renewing the certificate) -- all using the source of truth.

     

    I am sure you saw that I am uploading the certificate and key to the GitHub repository.  Right now  -- yes -- probably a bad practice, but one we are following until we get everything migrated.   The GitHub repository is private to myself and the service owners (white list access only), which is a stopgap.   During and after migration -- I will be working on pulling the private keys out, and putting references there instead, that I would read and fetch the appropriate private key from a safer storage location, and then insert it into a read in declaration  -- then deploy it, all from memory, and the private key is purged from memory once the playbook ends.

Zdenek's avatar
Zdenek
Icon for Cirrus rankCirrus
Jul 31, 2024

Well you dont have many options to solve it. This is something I was already thinking about, discussed with few F5 guys and here are the options:

  1. add SSL cert and key to every declaration where needed and (re)deploy declaration
    • Not that easy as you wrote, but could be done if you use automation
    • you do NOT want to have SSL private key anywhere in the declaration. SSL private key is not made to be stored just somewhere, you probably know..
  2. store SSL certificate and key to Common and use it in AS3 declaration
    • if you use partitioned environment then your Common partition might be messed up with certificates used by services in the partitions
    • any SSL certificate name change (we for example include some tags and date in the cert name as part of naming standard - automated) needs AS3 declaration update

 

I also use python to automate SSL cert lifecycle, and this is one of the reasons we have stayed away from AS3.

We have defined source of truth and our way of automation, but with AS3 we are forced to do it differently. And dont forget that with Bigip NEXT you have no Rest API, but just AS3...

 

This is pain yes, also to us, would be nice to get more people involved in this thread.