Forum Discussion
mhite_60883
Jun 13, 2013Cirrocumulus
Thanks, Aaron. It's good to know this is a bug I am encountering and not simply operator error. I usually presume it's my fault, and then when I get stumped, I came here and beg for help... ;)
The workaround you mention is indeed how we initially upload certificates/keys to load balancers. But when you need to go replace them, those methods no longer work. The API calls certificate_import_from_pem and key_import_from_pem do have a flag to let you overwrite, but really in practice this does you no good because the load balancer with throw an error telling you the key does not match the cert. Nor can you combine the two calls into a single atomic operation/transaction. Hence my efforts to explore the import_from_archive_stream as a method of updating existing certificates.
This is actually my ugly hack/work-around for now:
tmsh_cmd = "echo \"cd /%s; create cli transaction; modify sys file ssl-cert %s.crt source-path %s; modify sys file ssl-key %s.key source-path %s; submit cli transaction\" | tmsh -q" % (partition, identifier, urlpath_cer, identifier, urlpath_key)
That's basically the command that's constructed and passed via ssh to the load balancer to run remotely. The silly echo thing is because normally tmsh doesn't want to let you invoke transactions via a plain "tmsh" command -- it wants you to actually be in an interactive tmsh session. The echo pipe fakes it out and luckily it all works.
Ideally, I don't want to be spawning remote ssh commands to perform these actions -- I'd much rather do this 100% through iControl.