I want to know if you have any experience with implementing let´s encrypt for servers behind an F5 BIG IP Load Balancer.
I have read the article below: Certificates for Internal servers and servers behind load balancers
In addition, I found out that there is an script in the F5 forum with several files and rules to configure to achieve the automation. This is the forum article:
I read all the article, took a high level overview at the code and I have some questions. My goal is to clearly understand step by step the way to implement this.
Based on the article from lnxgeek.org, this is what I understand:
- Create a Data group to contain the challenge-response values with the following command:
tmsh create ltm data-group internal acme_responses type string
1.1. Where should I execute this? Any pre-requisites to execute it? I´m not keen on F5. I would appreciate some details on this.
- Create an iRule
2.1. Where should I create the iRule within F5 console?
- Client SSL Profiles
3.1. How this works? Should I create any object for this?
- Fill the domains.txt file with the domains you want to retrieve a certificate/renew
4.1. If I need to create a brand new certificate for a farm of webservers, I just add a brand new line to this domains.txt file like “mainDomain san1 san2…” one per line and that´s all?
4.2. How the renewal works here? I check that in the config file you can put the amount of days to renew.
- Customize your script with the config file
5.1. Where should I put all these files: wrapper.sh, letsencrypt.sh, hook.sh, config? Inside any folder within F5?
- Execute the wrapper.sh or directly the letsencrypt.sh (with -c parameter)
6.1. How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
6.2. Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
6.3. It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
6.4. Has this script any limitations in terms of webserver´s platforms or is independent?
Thanks in advance!!