f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
AS3 3.44.0 - ChainCA invalid x509 - Certificate-bundle.crt
Dear people,
Environment
- Application Services Version: 3.44.0
- BIG-IP Version: BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3
- Deploying through BIG-IQ to my F5 BIG-IP
Summary
It looks like when using AS3 declaration with chainCa : "MyIntermediateCertificate", it's giving issue with invalid x509 file. And it's complaining about another Certificate-bundle.crt, that could be the one by default in F5 BIG-IP (but no the one that I uploaded previously, my current certificate is signed by an official CA (I also tried with other one : VerySign.... same issue)
If I remove the chainCa, AS3 deployment working properly.
pwd /config/ssl/ssl.crt
ls -lh
total 3.5M -rw-r--r--. 1 root root 3.5M Mar 21 2024 ca-bundle.crt -rw-r--r--. 1 root root 1.4K Aug 20 12:41 default.crt -rw-------. 1 root root 1.3K Aug 26 17:47 dtca-bundle.crt -rw-------. 1 root root 1.3K Aug 26 17:47 dtca.crt -rw-------. 1 root root 1.3K Aug 26 17:47 dtdi.crt -rw-r--r--. 1 root root 2.0K Oct 28 11:21 f5_api_com.crt -rw-r--r--. 1 root root 2.2K Mar 21 2024 f5-ca-bundle.crt -rw-r--r--. 1 root root 1.7K Mar 21 2024 f5-irule.crt
When doing same stuff through the F5 BIG-IP GUI, working properly.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "AS3",
"schemaVersion": "3.44.0",
"action": "patch",
"patchBody": [
{
"class": "ADC",
"target": {
"address": "X.X.X.X"
},
"op": "add",
"path": "/Automation/APP_TEST_1.2.12.140_446",
"value": {
"class": "Application",
"remark": "REFERENCE : NULL_REFERENCE_20241108140113",
"schemaOverlay": "AS3-F5-HTTPS-offload-lb-existing-cert-template-big-iq-default-v2",
"template": "https",
"serviceMain": {
"pool": "HTTPS_443_pool",
"enable": true,
"serverTLS": "HTTPS_443_client_ssl",
"virtualPort": 446,
"profileAnalytics": {
"use": "Analytics_Profile"
},
"virtualAddresses": [
"1.2.12.140"
],
"persistenceMethods": [],
"class": "Service_HTTPS"
},
"HTTPS_443_pool": {
"members": [
{
"adminState": "enable",
"servicePort": 443,
"serverAddresses": [
"1.2.12.10"
]
}
],
"monitors": [
{
"use": "HTTPS_443_monitor"
}
],
"loadBalancingMode": "least-connections-member",
"class": "Pool"
},
"HTTPS_443_monitor": {
"send": "GET /\r\n",
"receive": "none",
"receiveDown": "",
"adaptiveWindow": 180,
"adaptiveLimitMilliseconds": 1000,
"adaptiveDivergencePercentage": 100,
"adaptiveDivergenceMilliseconds": 500,
"class": "Monitor"
},
"HTTPS_443_client_ssl": {
"certificates": [
{
"certificate": "Certificate"
}
],
"class": "TLS_Server"
},
"Certificate": {
"certificate": {
"bigip": "/Common/certif_customer.crt"
},
"chainCA": "/Common/intermediate.crt",
"privateKey": {
"bigip": "/Common/certif_customer.key"
},
"pkcs12Options": {
"keyImportFormat": "pkcs8"
},
"class": "Certificate"
},
"Analytics_Profile": {
"collectIp": false,
"collectGeo": false,
"collectUrl": false,
"collectMethod": false,
"collectUserAgent": false,
"collectOsAndBrowser": false,
"collectPageLoadTime": false,
"collectResponseCode": true,
"collectClientSideStatistics": true,
"class": "Analytics_Profile"
}
}
}
]
}
- Observe the following error response:
"as3_response": {
"content": "{\"code\":422,\"message\":\"**status:422**, body:{\\\"results\\\":[{\\\"message\\\":\\\"Failed to send declaration: /declare failed with status of 422, ****declaration failed 01070712:3: unable to validate certificate, invalid x509 file**** (/Automation/APP_TEST_1.2.12.140_446/Certificate-bundle.crt)
Expected Behavior
It should deploy AS3 declaration with TLS client profile including chainCA as requested.
Actual Behavior
422 due to invalid x509 file
Sorry for missunderstanding :
it looks like BIG-IQ is running AS3 3.44.0 : curl -sk -H "Content-Type: application/json" -H "X-F5-Auth-Token: $TOKEN" -X GET "https://$BIGIQ_MGMT/mgmt/shared/appsvcs/info" {"version":"3.44.0","release":"3","schemaCurrent":"3.44.0","schemaMinimum":"3.0.0"}
My F5 BIG-IP target :
pwd
/var/config/rest/iapps/f5-appsvcs
cat version
3.44.0-3
But regarding deployment itself from BIG-IQ, I got a different schemaversion : schemaVersion": "3.12.0"
{ "id": "autogen_a4c95a0f-13e3-4078-92c3-3a8e6ea6f10c", "class": "ADC", "controls": { "class": "Controls", "userAgent": "BIG-IQ/8.3 Configured by API" }, "Automation": { "class": "Tenant", "APP_TEST_1.2.12.139_446": { "class": "Application", "remark": "REFERENCE : NULL_REFERENCE_20241109201819", "template": "tcp", "serviceMain": { "pool": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_pool", "class": "Service_TCP", "enable": true, "profileTCP": { "use": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_tcp_profile" }, "virtualPort": 446, "virtualAddresses": [ "1.2.12.139" ], "persistenceMethods": [ "source-address" ], "profileAnalyticsTcp": { "use": "/Automation/APP_TEST_1.2.12.139_446/Analytics_TCP_Profile" } }, "HTTPS_443_pool": { "class": "Pool", "members": [ { "adminState": "enable", "shareNodes": true, "servicePort": 443, "serverAddresses": [ "1.2.12.13" ] } ], "monitors": [ { "use": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_monitor" } ], "loadBalancingMode": "least-connections-member" }, "HTTPS_443_monitor": { "send": "GET /\r\n", "class": "Monitor", "receive": "none", "targetPort": 443, "monitorType": "http", "adaptiveWindow": 180, "adaptiveLimitMilliseconds": 1000, "adaptiveDivergencePercentage": 100 }, "Analytics_TCP_Profile": { "class": "Analytics_TCP_Profile", "collectCity": false, "collectRegion": true, "collectCountry": true, "collectNexthop": false, "collectPostCode": false, "collectContinent": true, "collectRemoteHostIp": false, "collectedByClientSide": true, "collectedByServerSide": true, "collectRemoteHostSubnet": true }, "HTTPS_443_tcp_profile": { "class": "TCP_Profile", "synMaxRetrans": 3, "finWaitTimeout": 5 } } }, "updateMode": "selective", "schemaVersion": "3.12.0" }