f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
PCKS12 cert not able to be referenced
Environment
- Application Services Version: 3.20.0
- BIG-IP Version: 15.0.1
Summary
A PCKS12 (.pfx) cert added via AS3 is not able to be referenced.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"test": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"service": {
"class": "Service_HTTPS",
"virtualAddresses": [
"10.0.1.186"
],
"clientTLS": "tlsClient",
"serverTLS": "tlsServer",
"virtualPort": 443
},
"tlsServer": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "cert"
}
]
},
"tlsClient": {
"class": "TLS_Client",
"forwardProxyEnabled": true
},
"cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "<BASE64_ENCODED_PASSPHRASE>",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"pkcs12": {
"base64": "<BASE64_ENCODED_FILE>"
}
}
}
}
}
- Observe the following error response:
{
"code": 422,
"message":"java.net.ProtocolException: status:422, body:{\"results\":[{\"code\":422,\"message\":\"declaration failed\",\"response\":\"01070277:3: The requested certificate (/test/Shared/cert.crt) was not found.\",\"host\":\"localhost\",\"tenant\":\"test\",\"runTime\":2663}],\"declaration\":{\"test\":{\"class\":\"Tenant\",\"Shared\":{\"class\":\"Application\",\"template\":\"shared\",\"cert\":{\"class\":\"Certificate\",\"passphrase\":{\"ciphertext\":\"<SANITIZED>\",\"protected\":\"eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0=\",\"ignoreChanges\":true,\"miniJWE\":true},\"pkcs12\":{\"base64\":\"<SANITIZED>
Expected Behavior
All objects should be created
Actual Behavior
I get the above error. The issue is not the cert either - if I water the declaration down to only the cert it gets imported without issue.
Thank you for reporting this bug. I have confirmed the bug and added it to our internal product backlog as AUTOTOOL-1665.
It looks like when I reproduced this bug, I mistook a similar error message for the one being reported here. I received an error because the pkcs12 data I was using did not contain a key. We have been unable to reproduce this with valid pkcs12 data. Have you confirmed that both a certificate and key are present in your pkcs12 data?
Yes. And to reiterate, if I remove the 'tlsServer' section of the above declaration, the certs and key get imported just fine. See below for error vs good declaration (watered it down even more here). When I login after applying the good declaration I can see the cert and key imported just as they should. I can even at this point manually create an SSL profile referencing it.
Also, I don't know if it makes a difference but I'm doing this against LTMs in Azure.
Errored declaration:
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"test": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"tlsServer": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "cert"
}
]
},
"cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "SANITIZED",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"pkcs12": {
"base64": "SANITIZED"
}
}
}
}
}
Errored response:
{
"results": [
{
"code": 422,
"message": "declaration failed",
"response": "01070277:3: The requested certificate (/test/Shared/cert.crt) was not found.",
"host": "localhost",
"tenant": "test",
"runTime": 2654
}
],
"declaration": {
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"updateMode": "selective",
"controls": {
"archiveTimestamp": "2020-07-23T18:20:05.050Z"
}
},
"code": 422
}
Good declaration:
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"test": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "SANITIZED",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"pkcs12": {
"base64": "SANITIZED"
}
}
}
}
}
Good Response:
{
"results": [
{
"code": 200,
"message": "success",
"lineCount": 22,
"host": "localhost",
"tenant": "test",
"runTime": 2566
}
],
"declaration": {
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"test": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "SANITIZED",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0=",
"ignoreChanges": true,
"miniJWE": true
},
"pkcs12": {
"base64": "SANITIZED"
}
}
}
},
"updateMode": "selective",
"controls": {
"archiveTimestamp": "2020-07-23T18:21:03.550Z"
}
}
}
I'll also note that since opening this ticket, I've burned down the LTM I originally tested this on, and rebuilt it on code 15.1.0.2, my previous comment was run against this new code version (though the error is pretty much the same). AS3 version is still the same.
I generated a certificate, key, and a combined pkcs12 file with a passphrase of "password". I then used those successfully in the simple declaration below. I believe something is wrong with your pkcs12 input.
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "test",
"test": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"tlsServer": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "cert"
}
]
},
"cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "cGFzc3dvcmQ="
},
"pkcs12": {
"base64": "MIIQMQIBAzCCD/cGCSqGSIb3DQEHAaCCD+gEgg/kMIIP4DCCBg8GCSqGSIb3DQEHBqCCBgAwggX8AgEAMIIF9QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQId7+/cByZ7n0CAggAgIIFyNuOUu0pPWH4o5VccBWAbqeDkJcvsiAi+Uq9fLxolcsZsoxZBzDH0o50cHJCzfEUFxv+j1xZqG2UVvqFY63hcSa14gqkBe7Ylg67colcxp4akoa84ZReThIwo7r8t+uM+Z97jbzzLPTooTnTPlAYoj76hq91gSlQpm5RxepD1yoFxA7lg469/zr9s+2aFDZS4pLSmghsUQu9AwUk7+nv35Rf/lQh1OAeXRxlJ5q54ECgtpuPPsq6M0tLXIUzJQ3fkLkO2/kZQOt9rLP+cOckgcFLSVVrcf2Rt6fWBKjxFWQYT9dWiO9nWPVbayFvGUDyX/c45/6IOTsISyLPcMDgpV0nDAdWx95C6DqHWhUQr2eircoxNK5wKmghBgT7hU/7bW3zvk5Z9iwx1K4lFayY+q5GYt36YGTigDJMwiw0r5BwpO8PR6wCaAPdJyZ6FJFJXg2+SkWYKTfPyh9tmz4uGGcWk2H/wulwaJMYVUiW1SVoJOPqTQoaCCGkDmamuiYYP3TQtiQ6SiiDZ9kUWq7XZMSz6gh9ZmuNp8PqwS21i5mR+AK+YbaE5vaKnKdbPbh1i4NXtI5gjyEmME4xB2cdyGTrHgfMQ+QQpai0Z/uXy1SRjdqMbg/pOmdz1fij4A83/Eq2viLaTqDyDsUupxNwsma9jXH9+1XspyRIm+XPUIcgYrcyQr+uda8zxsYFucwEeoK0DJsq6+E3rjCPC/DHot96QU2nHnqfEgURgJObKn+BWdkcmQcmbMqPBuIgfnN2SXzf50U6q8Cd7AccuyBshKdxuESUUgmMI0aDyoTS09uzwZH8WPlkqyj+lzDwEBuZnefYsIT2wUQ3pfQ4qdBQQGQVZPpu6LQfijqLwBgGHT+NLnPe7C4DJ9gWe3VMLSvw5t+HvaIZ3P+In9/Ds7yY6nKXWyPCYdYHOkduLoRO7cwfmYHQ2UC/OUr7EHgQv+0W+NsWC0uq0RD0Q0NJIvkvMlOlMKDQUHzd+m+x5gcpdAgZAKoDb+ez5WN0KLjJATLcFHyqOP7vy+mFUR7Vy7FQWnJydFm5LJEkcqrfDuWZoPFF2D2EoXraveJ4Bfl/yqrlEaLKJ5082Z0GuBa9yaGn8YkNDH4yfXpoL0QkB8KvssOcJApAYJEwNiY3sReUpRVjHQRtXGamvZpldv7AAbhqsBBDF3Mbf+tC9oDieHlJUeaH17utxSE/PwBg/3Kgwa6lrMw3iJIVMGvCfl+UjW06gu5eTcpNq1pToPlgnoCN+vXB4bvRdz0cVixwXC2Dgf5HdjQQeN6W86BBqgMSL0ZgL/cP4X23iQzyUTE8N0rshDpxPGMLBCuw+i7WEnxEWUZBbE7e20oV/9l6Q8CHx8kV7KqsfPHf4/mvSfzkzXMa6FyVEBj/si7ExtSOPq/ODSHkaOpTvyJY5OQUwgB8of8pSSf221ylsFC/icGujc9KURy6OkeJfsv/yAkGl6IuRQf9oDudtKyoccibHfAk7rTBq5KGyHc3ocMRWjJb2MYMDRcNrSxgY67G57F9jHsqlXuyNa6VFvhhSX9N866uV2hf/QRy3/dn+Zaorzp/CbAGmq5Uq/ae/FsUznQ1W6g0U+nu6qdiHvpPOuuFdRWHZoxf3PJxPmKh2fCtCDCv9APUQYToRU42FUqBGQMiMZGK2hY42HG03bHCxikd6CKA86oQj7LItNzH4HIe1EWvXhV1acml4o6NW/NGdnocR08LPyGyEfbKLwrD58rRidHCdlVrSGDFYp7L0VwdPXZG6UCgItlbAdx0NLsBZ4/NvNLBghnN4W8wwXFgzQjAwgM8+U+mXv3aCj3Rp2Vu5JPqp+UeBRD44yg6P34D/+5yb3IlukO1SuW4QPqygZ3IFWwFGufIpGJ2KQTFpw2f6cDT0uAJgyA8ftr1INFtSR5RptbPqxq4WWbmouuopfgIaiKk0EvraDCWRXlwbfDSo5h05dzRok03yJsJHo2puL8wggnJBgkqhkiG9w0BBwGgggm6BIIJtjCCCbIwggmuBgsqhkiG9w0BDAoBAqCCCXYwgglyMBwGCiqGSIb3DQEMAQMwDgQIyi5P8pd6N/UCAggABIIJUBl91Yj2X3sWVyw2aPzQFrP8CP3nerCP0XhVs4nvUEsedOPAIv914FFqkc25G2L9WtMz2g894XwdDUBptDN0tqbejkYKynB5NdPPuWZg9U2MXa4/6KNZFiQ+5/MKN2y78uTHMJhsQXIXQIug54V2fWCwdrCul+g12K74VcOlt7MDlODRTxM5bunJ7lp0nAB819+xmfKIkoZ+v3iEFmuivsJoPoHAeBBYVs0ZOVsJFDFSo7MaB2EIfguWCBbVsNGTA5PW9zTzgh6a38dwv1ccC1lxUsR7pogT5/YkjcmIUYW+pBRiqmmsvr/2o+FBmDWifBzDPP8Zce+HkjWzkrcZ6s2CIsz9tlyDwdBsNe/v/fASS6HBe2A+TW/GpVc0u1QI+f5zMbUo52ckSYt0MD+AN5+4peD4ndYyghc3Z4MvUKLi9JkE/PxmeVKyADw+MstvBCIJrjrwJjtNhaROownPziUwppPxeMHVNQtHRlBj0DMHqGMsSljRJZgQiWiyjeEzH8btg9/HI8noBHWc13h6opyG/iyaiQ41lM7lw6FNEqr8u40mi4BxGoDirtMFw+bZa1+UrggC2oS8vn4tiH97bdl7DdA3BmLYxKORaCJkhZ6Z10Oy+8i/2saKYarvtLJ5ARhXf+Nt8df32cydu2j+eusQZTY+OC9ewQ98tgXqPK06D2+WQ+1KK8Vts9XA1eNc34MWrSnicTgWB3WtI279wyneSse0DBVSgy2Yx/SeeXUMmIycm45J+wHJ0Mk8vOYmRk2cF8cI4Vq4uCONE9KqFyUAdZG3Z35Ot3BGNHr9WE8pMM8bsCeJqQ40IaYha2t96fh2ZKhRVhuFotbLOz2uw1qhZvXXoFqGAgaJslX5Yc8ITav5aIooc20sS6FxLJk6c78MCzf+Pn9lRCKvSaimrXbylWf1L9oED1ZmGV4om+N6NSjuwc6iKRRaQZSFy8GtPSeeOP8R1crNJ8QS/yq0HI9fv3fwD/xkJCFdcDM2kBgxrR6MbLB+ag7llgfUJgfKJqTZMKR51qOgYntiDJKEQI4K1jruZEFjVSx1SlZtM+e+aLAu0h6jlEa5PHf7cf3h+XaigWIiCBo0OQUxvWBVQmhQrKSeVLzyepgMhwQ0a1DeBxsKi4MUtEKWzISSuUnOGLQkmg2iSoZIgEDFzr6pNtopOVIgKng7iCG7U8jgUK0FFrgOE7hpIYw8Ee5yddoZ4l1vTM7y3bgLey3WjRpph4HwNBbu7osrTPjQvCgNZEmNOyuI63bky+jHyul3LCxaVpDpiffFVeKoaLMRJWPuMVL+G4xcslbXAhy+P7LZOEbQiJSdUD0M18pWyYhKhf7WJWIOhv98Jecd7ohTtX+JKaaIN6NBxAxUz6Yr4I/WKnjpBH5mXuKniadNGasphySlwQDeXtEz1OXnwJEgsZWpwk153oUeb9PKNDBnI9U/A/o5q5Hw+mREkh0L/JVUeb/rffTyrlBcfI5fPzT0vDi6fiQJJ2C5jdyAytPuFdfSX8/BAkL0iNsitiMSp9KK5RYqENAkUS9DXhDH/MkpkbgUKngB8E/qlA7A3/zdh4jj0kJQW0Cpdm6l/Sk4pIbOhwKcdQVgkrb48rNhEEFZTGS51mJr/wakT7tYbHtOQMVXAqSSVK5HgViyF+BFA2pvMHFnvgba3k3cl6D+/9SnNiAeP5jcqfpPK/5x2rydFznfN9yOtL9/zkWaioGG8YkQNpyULZ4l4sHW0fEeZHhFI/6PU3DHzefM7kq9/jSTPyZs+6eDwIThoYwa9k6EJqpFP8ixnlK/c00niQNfQSbf8oLmXLDYQfAFUuEF10DZmspa8GZZ8CRxKd9occvYv0CihjleuzlTq4HawXqSgR6amkd6Gbm3qngRFLjYRLNGUv8djEOZpP5jt4GKM58TGxjNjhBfw4yC11vz9AX4Gw7tqKdYoicOVmyPoFx/pLuZujwG9kuuMGDnkaCw5OQxXNKQkRtj5lbmXVSiQ+yRY8VViHglfs005/Rg7K8xWNrOTpmcZMBx0bVz1xleD5GRn93YnqHZpNXJNh7YTCy1ECXa2NXsK3idB6f3vTZSU7BpDG646fZian5qXc3LTkfBY118niMfmH+5L9X/37DXTWhSZhe+sknc3xOmZxvsiWQRJUeJgN8oYxmm9iXgBFQQOxrv17VLQ70+CvfzmabeZjCOpJnIuYl7RY70HygLSCKOL6AZXEvlkvu84E3jUYJrGZP9lZcuWv19f1nWgT8mJ4nlzPINgrnF93mYPJFtRtScoNriQHgieK4a3HcEcczsUtb3IEjd4jDxFN50L73jsobbT0vT9+2dxyJDdUPa1SlBk8UpUY9Wgx+6hSzXCqPaLYrXP7n0rOXhf/A+d3L7zxyUxLE7lHHELa54xjzX7P8qFWNo6Tl2ODfd7DxYEIyVqHCsU5n7kgWAUSB3jRGUrixF2DMl6mjr5X2qjuCoqvVx9gRzzGKu2dM5zgxSrswk96wxUHdteY0tE7OVe9JYGoWyCeZr6PWCqA6aqwq1cPt3Gdw0E21Tz6LI+f8Yxxwr3gbzJIlRKpuu0JnSd6uJPxNk0umr90tG6Vz1nHXUVCLE5N7gnZfo+6OBch7Fdgxwsoy+e9mfqvZoOJseoMo3OTURQzD0eEdGUIR8UKAtPPWRxddVbmtm9Zzvou+UNmf9XhWPeD1CbycAL7a6n66PAx9lF+D6SEfc30yYoFWus0HBBqNA4zXZeZcIrMWpk2zsSnbVV983A2L8YeAELuEJ0V2UuUNWAUNh8Oerk+carvawm+yMtQR3culjJtSyDBPxFE8wlQwBAPTJAVP4SYaoYTBSqyx68GwzvkO9H/8YmhqlVDcQ7xvC30O0qBS7E1XE5ppZ7GKVgUHlz22+BpWmfuIRcI+qv4wEsA3Vh2zWkMT5uJR0vNZBG44qJTLfvOYcKIwikY2B+AJVmoaALFq08pNp8AaNyiwsClsZz+/9ojLutriyuqLKeA1LeE3jfYbUiKMrn9IrGUnphdgc6VC55/22Ew43+u1y+nka7vQPaebQdH2I8f6sK+0IkTLYJz3zCfWZR5L3gbUtmx6HfTlHGawlB9gkMoAnDxTmevd71+aGmkT+uL8fna0rNOvgH5uzv5mTNayz7XxG+7EVVRY2IYMkaVBEKiywpZwTJbV4nSrDzPV/tAVjMSUwIwYJKoZIhvcNAQkVMRYEFLbcPn2kIyVOGcAOoEDyq6399brbMDEwITAJBgUrDgMCGgUABBRURZdJ686csfB1K0I+w6RoSSjhJwQI5sGfknY7DUwCAggA"
}
}
}
}
}
I'd like to reopen this issue as i faced the same problem.
copy of what @timothyfranson said :
"And to reiterate, if I remove the 'tlsServer' section of the above declaration, the certs and key get imported just fine. See below for error vs good declaration (watered it down even more here). When I login after applying the good declaration I can see the cert and key imported just as they should. I can even at this point manually create an SSL profile referencing it."
P12 bundle that I use works fine (i can use them on my windows, i can use them in BIGIP manually). But as soon as I try to implement them using AS3, I've got the message The requested certificate (/partition/application/webcrt.crt) was not found."
as3 declaration that works :
{
"class": "ADC",
"schemaVersion": "3.25.0",
"Partition": {
"class": "Tenant",
"Application": {
"class": "Application",
"WEBCRT": {
"class": "Certificate",
"passphrase": {
"ciphertext": "****"
},
"pkcs12": {
"base64": "****"
}
}
}
}
}
as3 declaration that doesn't works :
{
"class": "ADC",
"schemaVersion": "3.25.0",
"Partition": {
"class": "Tenant",
"Application": {
"class": "Application",
"WEBTLS": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "cert"
}
]
},
"WEBCRT": {
"class": "Certificate",
"passphrase": {
"ciphertext": "****"
},
"pkcs12": {
"base64": "****"
}
}
}
}
}
Please re-open as this issue as it is still unresolved. When you import a PKCS12 certificate and key, the key is named correctly, but the certificate is not. AS3 does not append the .crt to the certificate file, so it cannot be referenced in a SSL profile configuration.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"CertTest": {
"class": "Tenant",
"test": {
"class": "Application",
"example_cert": {
"class": "Certificate",
"passphrase": {
"ciphertext": "IA==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
},
"pkcs12": {
"url": {
"url": "https://gitea.example/certificateStore/raw/branch/master/example_092621.p12",
"skipCertificateCheck": true
}
}
},
"example_cert_clientssl": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "example_cert"
}
]
}
}
},
"class": "ADC",
"schemaVersion": "3.30.0"
}
}
Tue, 09 Nov 2021 13:20:59 GMT - severe: [appsvcs] {"message":"Declaration failed: 01070277:3: The requested certificate (/CertTest/test/example_cert.crt) was not found.","level":"error"}
root@(bigTest01)(cfg-sync Standalone)(Active)(/CertTest/test)(tmos)# show sys crypto cert all
1 certificates found
sys crypto cert example_cert {
certificate-status none
ocsp-status none
}
as you can see the .crt fro the example_cert is missing.
Thank you for adding additional information to this issue. I have re-opened it and flagged it for triage.