Big IQ and lets encrypt integration

I am trying to integrate let's encrypt for certificate automation but we are facing issue. on Big IQ we can connect to lets encrypt server but some how we are not getting certificate from lets encrypt. Do we need to create anything on lets encrypt side ?

2 Likes

Hi @Umeshm, welcome to the LE community forum :slight_smile:

Once obtained, an LE cert should work exactly as any other cert.
The main difference with "traditional" CAs is that LE certs can only be obtained by using the ACME protocol (and an ACME client).
That said, which ACME client are you trying to use?
Is there a guide that you are following?
Does Big IQ have a "how to" doc on this process?

But to answer your question:

In short, NO; the ACME client should handle it all for you.

2 Likes

I am trying with DNS challenge but some how its not working. I have added following TXT record in AD and I can see this validation code output from any 3rd party dns checker website.

Domain:- _acme-challenge.f5certtest.xyz.com

Verification code :- o8szUqm83Qiz-RMlzX4GYaaIZOIRHx6K3nULStbLo78

Domain:- _acme-challenge.www.f5certtest.xyz.com

Verification code :- jk2vxiLpw-l_HPelDSF2KYK7K9LRcompfMq6_VIsihA

We are trying to ref this video for deployment.

Please suggest .

2 Likes

Yes we have added TXT record only.. here in post I have changed my domain from original to xyz.com

I have tested with this link and I can see value in output.

2 Likes

I should have realized the example (and should probably contact xyz.com about their weird setup).

The values change every time you run the ACME client. If the challenges fail, you'll be given new ones each time.

1 Like

Right.

Any way we can check from lets encrypt side where its failing. ?

2 Likes

Some how on Big IQ we are no seen any status change

2 Likes

You'll need to look at your local error logs. There will certainly be an indication of what's happening. It's quite possible that your DNS may not be propagating correctly or you have a DNSSEC problem.

Check here:

https://dnsviz.net/

1 Like

Can you please help me how to read that output ? What should I see in that output ?

2 Likes

Is your AD DNS accessible from the Internet?
Is that your real domain name "xyz.com" ?
If not, then it won't be able to validate those authentication requests.
[even the LE staging environment requires real access to real FQDNs - there is no offline test cert system]

2 Likes

Yes its accessible from internet.
xyz is not real domain name

Also, in my DNS I have added my real domain name .. just here in this community for public issue I am using fake one.. I test my TXT record over internet and its working but some how on F5 big IQ I am not getting certificate

1 Like

It is difficult for us to test or validate your statement without the real domain name.
And you should understand that all issues certificates, from all CAs, become public information.
So your FQDN will become public information soon enough.
Some people manage to keep hidden (a bit longer) by using wildcard certificates - maybe something that F5 BIG IQ can also do?
In the meantime, if you wish for anyone here to do any actual troubleshooting, you might want to provide the real FQDN (or at least send it via PM to those that request it - like myself).
I'm more than happy to help but I don't have an F5 BIG IP device to test with, nor your FQDN to validate your claims of proper TXT records.

In the mean-meantime did you actually try validating the TXT records via public DNS systems?
Like:
nslookup -q=txt _acme-challenge.f5certtest.xyz.com 8.8.8.8

2 Likes

Thank you for your help

Any way I can send this info privately ?

Also are you from lets encrypt tech team ?

3 Likes

Yes, click on my picture and choose "message" to send a private message (PM) to me.

No, this is a community forum and, as my title reads, I'm one of the "Community leaders".

2 Likes

For all those that might be wondering...

Understand that LE techs are not here to directly support this forum; they are available to support those that do (as needed / when needed).
Otherwise, they are being paid to do more important work.
And this is by far one of the best support communities on the web today :slight_smile:

2 Likes

As per your message...

I find the response a bit funky looking:

_acme-challenge.f5certtest.[redacted].com   text =

        "0Uua_A3q1jPwOQjlMXpBAd3vGqCQZVyRmuZ7VjyVyFY
"

It looks like there may be an added CR/LF being included at the end of the string.

2 Likes

Let me try

2 Likes

Something is there.
Here is an example test TXT I just created in AD DNS:

_acme-challenge.[redacted]    text =

        "this-IS_jusT-an-ex4mpLE_str1ng"

Third-party online tools might mask the problem by stripping out such irrelevant characters before displaying them on the web page.

Please try this internally (change the IP to one of your AD DNS servers):
nslookup -q=txt _acme-challenge.f5certtest.[redacted].com 192.168.1.1

2 Likes

Can you please check now ?

2 Likes

Much better:

_acme-challenge.f5certtest.[redacted].com   text =

        "0Uua_A3q1jPwOQjlMXpBAd3vGqCQZVyRmuZ7VjyVyFY"

Sometimes things may look correct to the eye but computers don't have
:eyes:
[not yet!]

2 Likes