GenLeCertForNS
GenLeCertForNS copied to clipboard
j81blog
Disable the content switch after ACME challenge, ECC certificates
Hi, great script! We are currently working on the implementation for our environment. Two questions came up:
-
We would like to enable the CS for LE only during the ACME validation. What API calls would we need? Would it be easy to add an option to the script?
-
How would we request ECC certicates? Both LE and NS are capable of this.
Regards, Mario
Thank you for reaching out and for your kind words!
- I presume you are using the certificate only internally? I think I can pretty easily add something for this in the code.
- I did not received this question earlier. I must investigate what is required for this. I cannot promise anything yet.
Hi, thanks for your answers! Let me clarify a bit.
-
We are using certificates for public sites which are reachable and configured only for HTTPS (ADC and backend). Enabling HTTP for a particuar public IP address leads to HTTP 503 / "Http/1.1 Service Unavailable" in our setup when you connect via HTTP which customers do not like (me neither ;-) So my idea was to enable the CS just for the time when requesting a cert. for a domain. Before and after it can be left disabled and HTTP connections just time out.
-
ECC is the future in terms of shorter key length and performance. On RSA, 2048 bits are still enough, but regulatory in Germany is going to request at least 3000 bits starting right now (their site "BSI" still runs with 2k RSA btw. ;)
Can you test the new dev version (https://github.com/j81blog/GenLeCertForNS/tree/dev) I added two parameters -EnableVipBefore and -DisableVipAfter. Although I would create a load balance vip add a dummy service. Create a responder to respond with 302 to redirect to https and bind this to the Load Balance Vip. And assign this LB Vip als default LB Vip to the content switch. This way all the traffic on http that does not have a match will be redirected to https.
I can provide you with a code snippet example (Command Line) to achieve this.
Thank you for the extra information.
Thanks a lot! The new version seems to have a glitch when parsing these new parameters? (...) -CsVipName 'csw_letsencrypt_all_http' -EnableVipBefore -DisableVipAfter Error: The "-CsVipName" parameter may not be empty! Only when specifying the "-UseLbVip" parameter.
(And yes, an HTTPS redirect would be fine. But I'm only the cert. admin and the ADC guys have done a lot of customizing with responders et al. so we want to keep this as simple as possible.)
Hi, could you have a look at the error message I wrote above? Here is the complete call (some values reduced);
.\dev.ps1 -ManagementURL http://... -Username adc -Password '***' -SvcDestination 1.2.3.5 -EmailAddress le@domain -CertDir C:\Users\adc\le\certs -PfxPassword '
The "-CsVipName" parameter may not be empty! Only when specifying the "-UseLbVip" parameter.
At C:\Users\adc\le\dev.ps1:2578 char:5
Throw "The "-CsVipName" parameter may not be empty! Only when s ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OperationStopped: (The "-CsVipName...Vip" parameter.:String) [], RuntimeException
FullyQualifiedErrorId : The "-CsVipName" parameter may not be empty! Only when specifying the "-UseLbVip" parameter.
I must rebuild my lab NetScaler to test this and try to reproduce. Will do this a.s.a.p.
The params are now parsed. The switch is being recognised as "disabled" and gets enabled: "ERROR [ADC-CS-VALIDATION] The CS Vip is disabled, enabling it now because of parameter EnableVipBefore is set." But it remains enabled afterwards, no info about "DisableVipAfter" in the log?
Great, this looks good:
-State.....................: OUT OF SERVICE, needs to be enabled first (EnableVipBefore was set) -New State.................: UP (...) -Action....................: Required, DisableVipAfter was set -State.....................: UP, needs to be disabled -New State.................: OUT OF SERVICE
I will check on another ADC these days. Thanks a lot!