F5Networks
Unable to generate CSR via F5 ansible module, It is failing
COMPONENT NAME
- name: Generate F5 BIG-IP CSR
hosts: all
gather_facts: no
collections:
- f5networks.f5_modules
connection: local
vars:
f5_server: "{{ your_f5_server }}"
f5_username: "{{ your_f5_username }}"
f5_password: "{{ your_f5_password }}"
csr_name: "{{ your_csr_name }}"
csr_common_name: "{{ your_csr_common_name }}"
csr_subject_alternative_names:
- "{{ your_csr_sans }}" csr_key_size: "{{ your_csr_key_size }}" csr_key_type: "{{ your_csr_key_type }}" csr_algorithm: "{{ your_csr_algorithm }}" csr_key_password: "{{ your_csr_key_password }}" tasks:
- name: Generate CSR bigip_device_certificate_csr: provider: server: "{{ f5_server }}" user: "{{ f5_username }}" password: "{{ f5_password }}" validate_certs: no name: "{{ csr_name }}" common_name: "{{ csr_common_name }}" subject_alternative_names: "{{ csr_subject_alternative_names }}" key_size: "{{ csr_key_size }}" key_type: "{{ csr_key_type }}" algorithm: "{{ csr_algorithm }}" key_password: "{{ csr_key_password }}" register: csr_result
- f5networks.f5_modules
connection: local
vars:
f5_server: "{{ your_f5_server }}"
f5_username: "{{ your_f5_username }}"
f5_password: "{{ your_f5_password }}"
csr_name: "{{ your_csr_name }}"
csr_common_name: "{{ your_csr_common_name }}"
csr_subject_alternative_names:
Environment
ANSIBLE VERSION
ansible [core 2.14.3]
BIGIP VERSION
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
STEPS TO REPRODUCE
`
https://community.f5.com/t5/technical-forum/generate-csr-via-ansible-script/td-p/317536
Hi @f5killer,
bigip_device_certificate_csr is not a module created on imperative or declarative collection. https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/module_index.html
It's an RFE and we will review it.
Hi @f5killer,
Have you tried using the command module to run 'tmsh crypto command'? https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_command_module.html#bigip-command-module-2
Hi @f5killer,
Here is the command. https://clouddocs.f5.com/cli/tmsh-reference/v16/modules/sys/sys_crypto_csr.html
unable to create wildcard csr via tmsh or ansible module. GUI able to create wildcard csr.. please roport the bug on priority basic.
Hi @f5killer,
If you are not providing more information, we can't help you. Please provide Ansible playbook and the output with -vvv. If you don't want to share it here, please open a support case via https://my.f5.com/manage/s/
Please find the output. Hope it will help you.
Please see the json output. "message": "the "create" command does not accept wildcard configuration identifiers"
localhost]: FAILED! => { "allow": "", "cache_control": "must-revalidate", "changed": false, "connection": "close", "content_length": "134", "content_security_policy": "default-src 'self' https://sentinel.whitehatsec.com https://sentinel.whitehatsec.eu https://api.ctscloud.com https://key.ctscloud.com 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: https://sentinel.whitehatsec.com https://sentinel.whitehatsec.eu https://api.ctscloud.com https://key.ctscloud.com http://127.4.1.1 http://127.4.2.1", "content_type": "application/json;charset=utf-8", "date": "Thu, 11 Jul 2024 07:06:29 GMT", "elapsed": 0, "expires": "-1", "invocation": { "module_args": { "attributes": null, "body": { "city": "Paris", "commonName": ".abc.pqr.example.com", "country": "FR", "keySize": "2048", "keyType": "rsa-private", "name": "cert.abc.pqr.example.com_JUL_2024", "options": [ { "gen-csr": ".cert.abc.pqr.example.com" } ], "organization": "FR SE", "ou": "Society General Services", "partition": "Common", "state": "Paris", "subject-alternative-name": "DNS:*.abc.pqr.example.com" }, "body_format": "json", "ca_path": null, "ciphers": null, "client_cert": null, "client_key": null, "creates": null, "decompress": true, "dest": null, "follow_redirects": "safe", "force": false, "force_basic_auth": false, "group": null, "headers": { "Content-Type": "application/json", "X-F5-Auth-Token": "Q)ERSQQOKUJSYCFTENKYXXXX" }, "http_agent": "ansible-httpget", "method": "POST", "mode": null, "owner": null, "remote_src": false, "removes": null, "return_content": false, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": null, "status_code": [ 200 ], "timeout": 30, "unix_socket": null, "unredirected_headers": [], "unsafe_writes": false, "url": "https://10.10.30.40/mgmt/tm/sys/crypto/key", "url_password": null, "url_username": null, "use_gssapi": false, "use_netrc": true, "use_proxy": true, "validate_certs": false } }, "json": { "apiError": 26214401, "code": 400, "errorStack": [], "message": "the "create" command does not accept wildcard configuration identifiers" }, "msg": "Status code was 400 and not [200]: HTTP Error 400: Bad Request", "pragma": "no-cache", "redirected": false, "server": "Jetty(9.4.49.v20220914)", "status": 400, "strict_transport_security": "max-age=16070400; includeSubDomains", "url": "https://10.10.30.40/mgmt/tm/sys/crypto/key", "x_content_type_options": "nosniff", "x_frame_options": "SAMEORIGIN", "x_xss_protection": "1; mode=block" }
Hi @f5killer,
I tried the following with success:
- hosts: all
collections:
- f5networks.f5_modules
connection: local
gather_facts: no
tasks:
- name: Generate CSR
f5networks.f5_modules.bigip_command:
provider:
server: 10.10.10.9
user: "admin"
password: "my-password"
server_port: 443
validate_certs: no
no_f5_teem: yes
commands: create sys crypto csr mycsr city Paris common-name abc.pqr.example.com country FR key default.key
delegate_to: localhost
$ ansible-playbook -i hosts csr.yml
PLAY [all] *********************************************************************
TASK [Generate CSR] ************************************************************
[WARNING]: Using "write" commands is not idempotent. You should use a module
that is specifically made for that. If such a module does not exist, then
please file a bug. The command in question is "create sys crypto csr mycsr city
Paris c..."
changed: [10.1.1.9 -> localhost]
PLAY RECAP *********************************************************************
10.1.1.9 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The following link shows examples and options for tmsh sys crypto csr command. https://clouddocs.f5.com/cli/tmsh-reference/v16/modules/sys/sys_crypto_csr.html
Please use wildcard common name common-name *.pqr.example.com
commands: create sys crypto csr mycsr city Paris common-name *.pqr.example.com country FR key default.key
Hi @f5killer,
In the playbook you are using uri Ansible command, not BIG-IP Ansible collection so if there is an issue with BIG-IP API, please open a case via https://my.f5.com/manage/s/
@pgouband pgouband, This is bug not sure how we can move ahead. I had showed everything to re-produce issue. i don't have access. hence removing it.
hi @f5killer,
This repository is only managing Ansible BIG-IP imperative collection. As you are using Ansible uri builtin command and not Ansible BIG-IP imperative collection, you need to open a support case via https://my.f5.com/manage/s/ as you think there is an issue with BIG-IP device API from what I understand.
I have been able to create a csr with a wildcard using f5networks.f5_modules.bigip_command from Ansible BIG-IP imperative collection as shown earlier.
This will help us to create key n csr both at same time. endpoint '/mgmt/tm/sys/crypto/key' is supprted by bigip. i think only issue with API module, GUI works well from long time. Will you able to create bug behalf of me in https://bugzilla.f5.com
Hi @f5killer,
If you are an F5er, please contact me on Teams or via mail but it's not the right place. Also I'm not the one managing BIG-IP API so I'll not create a bug ID.