I am trying to integrate let's encrypt for certificate automation but we are facing issue. on Big IQ we can connect to lets encrypt server but some how we are not getting certificate from lets encrypt. Do we need to create anything on lets encrypt side ?
Hi @Umeshm, welcome to the LE community forum
Once obtained, an LE cert should work exactly as any other cert.
The main difference with "traditional" CAs is that LE certs can only be obtained by using the ACME protocol (and an ACME client).
That said, which ACME client are you trying to use?
Is there a guide that you are following?
Does Big IQ have a "how to" doc on this process?
But to answer your question:
In short, NO; the ACME client should handle it all for you.
I am trying with DNS challenge but some how its not working. I have added following TXT record in AD and I can see this validation code output from any 3rd party dns checker website.
Domain:- _acme-challenge.f5certtest.xyz.com
Verification code :- o8szUqm83Qiz-RMlzX4GYaaIZOIRHx6K3nULStbLo78
Domain:- _acme-challenge.www.f5certtest.xyz.com
Verification code :- jk2vxiLpw-l_HPelDSF2KYK7K9LRcompfMq6_VIsihA
We are trying to ref this video for deployment.
Please suggest .
Yes we have added TXT record only.. here in post I have changed my domain from original to xyz.com
I have tested with this link and I can see value in output.
I should have realized the example (and should probably contact xyz.com
about their weird setup).
The values change every time you run the ACME client. If the challenges fail, you'll be given new ones each time.
Right.
Any way we can check from lets encrypt side where its failing. ?
Some how on Big IQ we are no seen any status change
You'll need to look at your local error logs. There will certainly be an indication of what's happening. It's quite possible that your DNS may not be propagating correctly or you have a DNSSEC problem.
Check here:
Can you please help me how to read that output ? What should I see in that output ?
Is your AD DNS accessible from the Internet?
Is that your real domain name "xyz.com" ?
If not, then it won't be able to validate those authentication requests.
[even the LE staging environment requires real access to real FQDNs - there is no offline test cert system]
Yes its accessible from internet.
xyz is not real domain name
Also, in my DNS I have added my real domain name .. just here in this community for public issue I am using fake one.. I test my TXT record over internet and its working but some how on F5 big IQ I am not getting certificate
It is difficult for us to test or validate your statement without the real domain name.
And you should understand that all issues certificates, from all CAs, become public information.
So your FQDN will become public information soon enough.
Some people manage to keep hidden (a bit longer) by using wildcard certificates - maybe something that F5 BIG IQ can also do?
In the meantime, if you wish for anyone here to do any actual troubleshooting, you might want to provide the real FQDN (or at least send it via PM to those that request it - like myself).
I'm more than happy to help but I don't have an F5 BIG IP device to test with, nor your FQDN to validate your claims of proper TXT records.
In the mean-meantime did you actually try validating the TXT records via public DNS systems?
Like:
nslookup -q=txt _acme-challenge.f5certtest.xyz.com 8.8.8.8
Thank you for your help
Any way I can send this info privately ?
Also are you from lets encrypt tech team ?
Yes, click on my picture and choose "message" to send a private message (PM) to me.
No, this is a community forum and, as my title reads, I'm one of the "Community leaders".
For all those that might be wondering...
Understand that LE techs are not here to directly support this forum; they are available to support those that do (as needed / when needed).
Otherwise, they are being paid to do more important work.
And this is by far one of the best support communities on the web today
As per your message...
I find the response a bit funky looking:
_acme-challenge.f5certtest.[redacted].com text =
"0Uua_A3q1jPwOQjlMXpBAd3vGqCQZVyRmuZ7VjyVyFY
"
It looks like there may be an added CR/LF being included at the end of the string.
Let me try
Something is there.
Here is an example test TXT I just created in AD DNS:
_acme-challenge.[redacted] text =
"this-IS_jusT-an-ex4mpLE_str1ng"
Third-party online tools might mask the problem by stripping out such irrelevant characters before displaying them on the web page.
Please try this internally (change the IP to one of your AD DNS servers):
nslookup -q=txt _acme-challenge.f5certtest.[redacted].com 192.168.1.1
Can you please check now ?
Much better:
_acme-challenge.f5certtest.[redacted].com text =
"0Uua_A3q1jPwOQjlMXpBAd3vGqCQZVyRmuZ7VjyVyFY"
Sometimes things may look correct to the eye but computers don't have
[not yet!]