Certificate request/renew with F5 Load Balancer


#1

Hello all,

I want to know if you have any experience with implementing let´s encrypt for servers behind an F5 BIG IP Load Balancer.

I have read the article below: Certificates for Internal servers and servers behind load balancers

In addition, I found out that there is an script in the F5 forum with several files and rules to configure to achieve the automation. This is the forum article:


http://wiki.lnxgeek.org/doku.php/indexes:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip

I read all the article, took a high level overview at the code and I have some questions. My goal is to clearly understand step by step the way to implement this.

Based on the article from lnxgeek.org, this is what I understand:

  1. Create a Data group to contain the challenge-response values with the following command:
    tmsh create ltm data-group internal acme_responses type string
    1.1. Where should I execute this? Any pre-requisites to execute it? I´m not keen on F5. I would appreciate some details on this.
  2. Create an iRule
    2.1. Where should I create the iRule within F5 console?
  3. Client SSL Profiles
    3.1. How this works? Should I create any object for this?
  4. Fill the domains.txt file with the domains you want to retrieve a certificate/renew
    4.1. If I need to create a brand new certificate for a farm of webservers, I just add a brand new line to this domains.txt file like “mainDomain san1 san2…” one per line and that´s all?
    4.2. How the renewal works here? I check that in the config file you can put the amount of days to renew.
  5. Customize your script with the config file
    5.1. Where should I put all these files: wrapper.sh, letsencrypt.sh, hook.sh, config? Inside any folder within F5?
  6. Execute the wrapper.sh or directly the letsencrypt.sh (with -c parameter)
    6.1. How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
    6.2. Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
    6.3. It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
    6.4. Has this script any limitations in terms of webserver´s platforms or is independent?

Thanks in advance!!


#2

hi @fpeterson194

you are asking questions about F5 so these should be posted on the F5 development forum

Irules and the syntax described is particular to the F5 TMOS system

Create yourself a F5 Dev account so you can post on that forum.

I also suggest purchasing a $90 USD developer license so you can try this

It looks like this is a combination of the Dehydrated Linux client and some F5 specific commands.

Andrei


#3

@ahaw021 thanks for your response. I know this is more related to F5 than let´s encrypt. I will ask in F5 forum. I wanted to know if someone of the community maybe have some insights/experience on installing it.

Thanks


#4

it something I am planning to do a writeup in the next 3 months (F5, NetScaler, Radware and Kemp Technologies)

however as it’s a personal project i can’t make any gurantees on time or if i will do it at all :smiley:


#5

Hi @fpeterson194! I don’t have an F5, but I have a few questions that may help point you in the right direction:

  • Are you planning to terminate TLS at the F5, or at the servers behind the F5? I’d recommend the latter if you’re undecided.
  • Does your DNS provider have an API? I.e., is it feasible for you to use the ACME DNS challenge?

#6

@ahaw021 thanks for your efforts buddy! I receive some insights in the F5 forum and I will start configuring it to see if I can get it implemented. You can take a look at the response they give me there in the link I put above. Maybe this also helps in your implementation :slight_smile:


#7

Hi @jsha thanks very much for your response! I have both cases. Most of them will be terminated in the F5, but it will be encrypted again with our internal PKI. So connection will be encrypt end to end anyway.
I will evaluate that too (about the DNS challenge). I get used to use the HTTP and TLS ones, but I will take a look at it too. I will get access to a F5 and will play a little with it before implementing in production. I receive a response in the F5 forum that you can see in the link I put above. I will test that (they use https://github.com/lukas2511/dehydrated implementation).
I will update once I have my testing done so I can contribute to the community too :slight_smile:


#8

yes i am going to give this a go

there is not a lightboard on this as well which is quite recent. Having a quick look at it it seems simpler than some of the others. https://devcentral.f5.com/articles/lightboard-lessons-automating-ssl-on-big-ip-with-lets-encrypt-21475

AWS runs F5 for about $1 an hour so this gives me a play lab that is fairly cheap

I used to work with F5 quite a bit but don’t have an appliance that is handy to do testing

Andrei


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.