In addition, I found out that there is an script in the F5 forum with several files and rules to configure to achieve the automation. This is the forum article:
I read all the article, took a high level overview at the code and I have some questions. My goal is to clearly understand step by step the way to implement this.
Based on the article from lnxgeek.org, this is what I understand:
Create a Data group to contain the challenge-response values with the following command:
tmsh create ltm data-group internal acme_responses type string
1.1. Where should I execute this? Any pre-requisites to execute it? I´m not keen on F5. I would appreciate some details on this.
Create an iRule
2.1. Where should I create the iRule within F5 console?
Client SSL Profiles
3.1. How this works? Should I create any object for this?
Fill the domains.txt file with the domains you want to retrieve a certificate/renew
4.1. If I need to create a brand new certificate for a farm of webservers, I just add a brand new line to this domains.txt file like “mainDomain san1 san2…” one per line and that´s all?
4.2. How the renewal works here? I check that in the config file you can put the amount of days to renew.
Customize your script with the config file
5.1. Where should I put all these files: wrapper.sh, letsencrypt.sh, hook.sh, config? Inside any folder within F5?
Execute the wrapper.sh or directly the letsencrypt.sh (with -c parameter)
6.1. How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
6.2. Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
6.3. It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
6.4. Has this script any limitations in terms of webserver´s platforms or is independent?
@ahaw021 thanks for your response. I know this is more related to F5 than let´s encrypt. I will ask in F5 forum. I wanted to know if someone of the community maybe have some insights/experience on installing it.
@ahaw021 thanks for your efforts buddy! I receive some insights in the F5 forum and I will start configuring it to see if I can get it implemented. You can take a look at the response they give me there in the link I put above. Maybe this also helps in your implementation
Hi @jsha thanks very much for your response! I have both cases. Most of them will be terminated in the F5, but it will be encrypted again with our internal PKI. So connection will be encrypt end to end anyway.
I will evaluate that too (about the DNS challenge). I get used to use the HTTP and TLS ones, but I will take a look at it too. I will get access to a F5 and will play a little with it before implementing in production. I receive a response in the F5 forum that you can see in the link I put above. I will test that (they use https://github.com/lukas2511/dehydrated implementation).
I will update once I have my testing done so I can contribute to the community too
