f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Unable to patch the multiple certificates to existing virtual server
Environment
- Application Services Version: 3.30
- BIG-IP Version: 16.0.1.1
Summary
I am trying to add multiple certificates to the BIG IP thru AS3 patch, however the certificates are not applied to the existing virtual server.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "AS3",
"action": "patch",
"patchBody": [
{
"op": "add",
"path": "/tenant/Application/front-cert",
"value": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "frontend-cert"
}
],
"ciphers": "DEFAULT"
}
},
{
"op": "add",
"path": "/tenant/Application/frontend-cert",
"value": {
"class": "Certificate",
"certificate": "-----BEGIN CERTIFICATE-----ffddedddd---END CERTIFICATE-----\n",
"privateKey": "-----BEGIN PRIVATE KEY-----ffdddeeessddd-----END PRIVATE KEY-----\n"
},
"Application":{
"class": "Application",
"private-vip-0.4": {
"layer4": "tcp",
"class": "Service_HTTPS",
"serverTLS": "front-cert",
"shareAddresses": true,
"virtualAddresses": [
"192.168.1.x"
]
}
}
}
]
}
- Observe the following error response: There are no errors in the declaration response, i could see success message.
Expected Behavior
The TLS Profile along with certificate should be applied to the existing virtual server.
Actual Behavior
I could see that the certificate and SSL profiles are created in BIG IP however, its not applied to the existing virtual server.
Note : I guess, by default "default SSL profile for SNI" parameter is enabled in TLS_Server profile. due to this, the new TLS profile is not associated. Looks like its enabled by default.
Let me know if you need any other information on this.
This is the error i get when i try to apply the SSL profile manually to the virtual server. The workaround is to disable the default SNI from SSL Profile
this could be the reason why the SSL Profile is not applied to the virtual server thru AS3 ?
@iarvi Can you please provide an example of your initial declaration before patching?
Hi @dstokesf5 pfb the initial declaration
{
"class": "ADC",
"schemaVersion": "3.30.0",
"id": "1.0.0",
"MyPartition": {
"class": "Tenant",
"Application": {
"class": "Application",
"forward_policy_fa7c194c": {
"class": "Endpoint_Policy",
"rules": [
{
"name": "to_pool-fa7c194c",
"conditions": [
{
"type": "httpHeader",
"name": "host",
"event": "request",
"all": {
"values": [
"ext-range.demo.info"
],
"operand": "equals"
}
}
],
"actions": [
{
"type": "forward",
"event": "request",
"select": {
"pool": {
"use": "LB-POOL-fa7c194c"
}
}
}
]
}
]
},
"LB-POOL-fa7c194c": {
"members": [
{
"autoPopulate": true,
"queryInterval": 10,
"fqdnPrefix": "node-",
"name": "LB-POOL-fa7c194c",
"addressDiscovery": "fqdn",
"hostname": "da7c554-us-east.lb.appdomain.cloud",
"servicePort": 443,
"shareNodes": true
}
],
"monitors": [
"tcp"
],
"class": "Pool",
"loadBalancingMode": "round-robin"
},
"private-vip-0.4": {
"layer4": "tcp",
"pool": "LB-POOL-fa7c194c",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"serverTLS": "demo.info",
"clientTLS": "backendcert",
"redirect80": false,
"shareAddresses": true,
"virtualAddresses": [
"10.1.0.4"
],
"policyWAF": {
"use": "wafPolicy"
},
"policyEndpoint": {
"use": "forward_policy_fa7c194c"
},
"persistenceMethods": [],
"snat": "auto",
"allowVlans": [
"net_1_2"
]
},
"wafPolicy": {
"class": "WAF_Policy",
"policy": {
"base64": <base64policy>
}
},
"backendcert": {
"trustCA": {
"use": "backend-intermediate"
},
"validateCertificate": true,
"retainCertificateEnabled": false,
"class": "TLS_Client"
},
"backend-intermediate": {
"class": "CA_Bundle",
"remark": "Backend intermediate",
"bundle": "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"
},
"demo.info": {
"certificates": [
{
"certificate": "frontend-demo.info"
}
],
"ciphers": "DEFAULT",
"class": "TLS_Server"
},
"frontend-demo.info": {
"class": "Certificate",
"certificate": "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n",
"privateKey": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"
}
}
}
}
Are you trying to replace the frontend-demo.info certificate with frontend-cert, or are you trying to use both of them?
i am trying to use both of them. basically adding another certificate to the same virtual server.
i am also trying to add multiple policies to same virtual server and hitting the same issue. not sure, that requires a new bug though.
I believe in your case you want to add the new certificate to your existing TLS_Server declaration:
{
"class": "AS3",
"action": "patch",
"patchBody": [
{
"op": "add",
"path": "/MyPartition/Application/demo.info/certificates/-",
"value": {
"certificate": "frontend-cert"
}
},
{
"op": "add",
"path": "/MyPartition/Application/frontend-cert",
"value": {
"class": "Certificate",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
"passphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
}
}
}
]
}
Does this example help you with your use case?
Hi @dstokesf5 this adds the certificate to the existing TLS_Server profile, but what if i want to create a different profile itself ? is that a limitation ? The reason i wanted to do that to differentiate different client domains. consider one is example.com other is mydomain.com so instead of adding the certs to same profile, would like to create two different profiles for better handling. Let me know if you have any thoughts on this.
Since the main use case for multiple ssl profiles was to attach multiple certificates, it was decided that AS3 would try to simplify this workflow by allowing you to attach multiple certificates to TLS_Client and TLS_Server classes. However, as a result of this decision, which was made before my time on the project, you are unable to use multiple TLS_Client or TLS_Server classes on an AS3 Service.
Does this answer your question?
ok, so i understand this is by design. Is the same design applicable for other classes as well ? for eg: if i want to support multiple backend servers to the existing virtual server, should i be adding the different server addresses on the same pool instead of adding different pools ?
How to patch additional TLS_Client certificates ? this is the declaration part, i would need to add more such backend certs.
"backendcert": {
"trustCA": {
"use": "backend-intermediate"
},
"validateCertificate": true,
"retainCertificateEnabled": false,
"class": "TLS_Client"
},
"backend-intermediate": {
"class": "CA_Bundle",
"remark": "Backend intermediate",
"bundle": "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"
}
I tried the below for patch but this is not working again.
{
"class": "AS3",
"schemaVersion": "3.30.0",
"action": "patch",
"patchBody": [
{
"op": "add",
"path": "/MyPartition/Application/backend-intermediate/trustCA",
"value": {
"use": "np10-aem-dev-intermediate"
}
},
{
"op": "add",
"path": "/MyPartition/Application/np10-dev-intermediate",
"value": {
"class": "CA_Bundle",
"remark": "Backend intermediate",
"bundle": "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"
}
}
]
}
After reviewing the schema, I do not think it is possible to attach multiple bundles to one TLS_Client object. The API likely expects a user to update the CA_Bundle.bundle property to contain all desired certificates. Unfortunately I do not know if there is a good way to do that with a PATCH operation without knowing all of the desired certificates at the same time.
I am reaching out to the developers to see if they have any additional suggestions.
Thanks @dstokesf5 do you have any timeline when this feature will be available for us ?
There is still no timeline on when this feature request will be worked on.
If you are still looking for this feature, please reach out to us at [email protected] in order to prioritize.
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}