f5-appsvcs-extension icon indicating copy to clipboard operation
f5-appsvcs-extension copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

AS3 Declaration Error: Duplicate OCSP Stapler Configuration on second submission of Certificate with OCSP Stapler configured

Open emze9 opened this issue 6 months ago • 4 comments

Environment

  • Application Services Version: 3.54.0
  • BIG-IP Version: 17.1.2.1

Summary

Getting an error when submitting for the second time a AS3 declaration certificate key pair with an OCSP stapler configured.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
{
    "action": "deploy",
    "class": "AS3",
    "controls": {
        "logLevel": "error",
        "trace": false,
        "traceResponse": false
    },
    "declaration": {
        "test": {
            "Shared": {
                "ca-digicert-g2": {
                    "certificate": "-----BEGIN CERTIFICATE-----\nMIIF1DCCBLygAwIBAgIQBk+E/3kfpnbynPNlN6J0njANBgkqhkiG9w0BAQwFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\nMjAeFw0yMjA5MTkwMDAwMDBaFw0zMjA5MTgyMzU5NTlaMGUxCzAJBgNVBAYTAklF\nMSEwHwYDVQQKExhEaWdpQ2VydCBJcmVsYW5kIExpbWl0ZWQxMzAxBgNVBAMTKkRp\nZ2lDZXJ0IEcyIFRMUyBFVSBSU0E0MDk2IFNIQTM4NCAyMDIyIENBMTCCAiIwDQYJ\nKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN4iiUwFRU3M4Ybw83MDTNpV49ks4gHZ\neFKbAw3CFAG5OLvVEZXaO2UFlikNK6pyHAH9c7vO19t7VF3lA2c0Y0MNhHcKRkYc\nfGKPffhcDaV5lKtE/azrbatl9Mpc/X+sG/0EjOLUDRGldG4EANSNFKlPN0nhGtp2\nrEDe24v9IFE7wAlu9cPkgE+CDNT3vauSGhThbP34twARP5s10zmUqqi63ZAS3jhJ\nKV41aI84Mc/jrg2o4aYKGhUBrSMu0XT4Q7D3aMIv1s44BrhbNpRrFwjw+frzu3Bz\nS/kp2ymdmeCX7EgZr2OKTCxdY0zkxsgt5TxQIAuWJIDSWC6SYtf+DYP7M4j5kVRM\nM4aEVuDcKxLlR9r+lJWBbQ025PAtph+wsW2Uqsnl2gjv5da3t+H2fABZ3k7HyYRJ\ns6CAdqygQT1cuTIuJAQChlLW+9ewa0S+Ny4zV9U7K2xH5DWe3xsWzusHWBADmB+J\njwPShK1sQeOfMtz2VMLIXbbk5ktW4qjJc7TUqx6oqiymRsc1ftAmr92n+pZY01Ww\nqx9AigmvaSwpsBoMxJJWPz4x/L1BY7TQ7bxYC/1QUEFp3LL6B+O1wienOVX570v+\ngh/0HcFLSb7c+SAThCu9ZamrPsfqUhJiX0mX2xLKXXAYE1090iweqPJLSS4w39YS\nRw/XLWMGwhbvAgMBAAGjggGCMIIBfjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud\nDgQWBBQYieev8Cj2fMpoBVLhYtiR1hZlYDAfBgNVHSMEGDAWgBROIlQgGJXm427m\nD/r6uRLtBhePOTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\nCCsGAQUFBwMCMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29j\nc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0cy5kaWdp\nY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290RzIuY3J0MEIGA1UdHwQ7MDkwN6A1\noDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RH\nMi5jcmwwPQYDVR0gBDYwNDALBglghkgBhv1sAgEwBwYFZ4EMAQEwCAYGZ4EMAQIB\nMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQEMBQADggEBAEQOjk9D1gf8\njJfOqSjbuuYCy3hdaFZwfi3kfhGaFoT5V5nhu2cnruBw1KREgawfxi7xcLwBaQbq\nRBGchvqPSfRboGU1qYmhUyo2el2wCLWXgVJxuy1PSW2cPIN3MYo0y8XDo78cVlw0\neZs2z8F8W8AkGqhjhVCrOoL1+gPrzO3b0akjzeGGtihbwDpH7/EH0o1ZkcdZYhUy\nHubnWq/LYupz26kZVQMHuaSgYPhnI6gsBk4A0Mz+JnMEf+nAXu9oeXZiFPFV5omz\nQUMeo5mz+K3ERI45CtB38aoCxMuvgIpw1Db7vzFWV/8e/T/hhJCnnApirbqJU42B\nJ+sOZ9FoWLo=\n-----END CERTIFICATE-----\n",
                    "class": "Certificate"
                },
                "cert-xxx": {
                    "certificate": "xxx",
                    "class": "Certificate",
                    "issuerCertificate": {
                        "use": "ca-digicert-g2"
                    },
                    "passphrase": {
                        "ciphertext": "xxx",
                        "protected": "xxx"
                    },
                    "privateKey": "xxx",
                    "staplerOCSP": {
                        "use": "ocsp-digicert"
                    }
                },
                "ocsp-digicert": {
                    "class": "Certificate_Validator_OCSP",
                    "dnsResolver": {
                        "bigip": "/Common/LocalDNS"
                    },
                    "responderUrl": "http://ocsp.digicert.eu",
                    "signingHashAlgorithm": "sha1"
                },
                "template": "shared"
            },
            "class": "Tenant"
        },
        "class": "ADC",
        "id": "urn:uuid:ef5015d5-5662-4f07-9413-4aa9fd2dfaa9",
        "schemaVersion": "3.54.0"
    },
    "persist": true
}
  1. Observe the following error response:
{
            "code": 422,
            "declarationId": "urn:uuid:ef5015d5-5662-4f07-9413-4aa9fd2dfaa9",
            "host": "localhost",
            "message": "declaration failed",
            "response": "01020066:3: The requested Join Certificate Validator (/test/Shared/cert-xxx.crt /test/Shared/ocsp-digicert) already exists in partition test.",
            "runTime": 10653,
            "tenant": "test"
        }

Expected Behavior

{
            "code": 200,
            "declarationId": "urn:uuid:9b08c009-7d34-45d1-84d7-5b07539ec89e",
            "host": "localhost",
            "lineCount": 5884,
            "message": "success",
            "runTime": 11757,
            "tenant": "test"
        }

Actual Behavior

The first time the AS3 declaration is submitted, the certificate is created with the ocsp stapler configured. If I submit a second time the same decleration, I have the error.

emze9 avatar Jun 02 '25 13:06 emze9

Could you please try dryrun and see the difference. "controls": { "class": "Controls", "trace": true, "logLevel": "debug", "traceResponse": true, "dryRun": true }

sunitharonan avatar Jun 05 '25 15:06 sunitharonan

Hi,

Exact same behavior with dryRun.

Thanks in advance.

emze9 avatar Jun 06 '25 09:06 emze9

Hi, did you manage to reproduce the issue ?

Thanks in advance.

emze9 avatar Jun 20 '25 08:06 emze9

Could you please try dryrun and see the difference. "controls": { "class": "Controls", "trace": true, "logLevel": "debug", "traceResponse": true, "dryRun": true }

To be exact, If I run with dry run multiples times I have no issue. But if I run without dry run the first time and then with dry run I have the issue.

emze9 avatar Jun 27 '25 09:06 emze9

Hi, I figured out that the issue appears with at least two certificates in the declaration. In the previous example, I was sending the declaration with the certificate already present on the tenant / partition. So the error was triggered.

But with a clean partition, I managed to reproduce the issue in AS3 3.11 to 3.54 only with at least two certificates in the declaration :

{
    "action": "deploy",
    "class": "AS3",
    "controls": {
        "dryRun": false,
        "logLevel": "error",
        "trace": false,
        "traceResponse": false
    },
    "declaration": {
        "test": {
            "Shared": {
                "ahaxf5": {
                    "certificate": "-----BEGIN CERTIFICATE-----\nxxxx\n-----END CERTIFICATE-----\n",
                    "class": "Certificate",
                    "issuerCertificate": {
                        "use": "cadigicert"
                    },
                    "passphrase": {
                        "ciphertext": "xxxx",
                        "protected": "xxxx"
                    },
                    "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nxxxx\n-----END ENCRYPTED PRIVATE KEY-----\n",
                    "staplerOCSP": {
                        "use": "test"
                    }
                },
                "cadigicert": {
                    "certificate": "-----BEGIN CERTIFICATE-----\nxxxx\n-----END CERTIFICATE-----\n",
                    "class": "Certificate"
                },
                "class": "Application",
                "publicsite": {
                    "certificate": "-----BEGIN CERTIFICATE-----\nxxxx\n-----END CERTIFICATE-----\n",
                    "class": "Certificate",
                    "issuerCertificate": {
                        "use": "cadigicert"
                    },
                    "passphrase": {
                        "ciphertext": "xxxx",
                        "protected": "xxxx"
                    },
                    "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nxxxx\n-----END ENCRYPTED PRIVATE KEY-----\n",
                    "staplerOCSP": {
                        "use": "test"
                    }
                },
                "template": "shared",
                "test": {
                    "class": "Certificate_Validator_OCSP",
                    "dnsResolver": {
                        "bigip": "/Common/LocalDNS"
                    },
                    "responderUrl": "http://ocsp.digicert.eu",
                    "signingHashAlgorithm": "sha1"
                }
            },
            "class": "Tenant"
        },
        "class": "ADC",
        "id": "urn:uuid:880df9c6-dc55-4e94-afe9-6bf39d0ddc11",
        "schemaVersion": "3.11.0",
        "updateMode": "selective"
    },
    "persist": true
}

emze9 avatar Jul 01 '25 12:07 emze9