search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
165 stars 54 forks source link

RFE: Private key support for Network HSM and Cert retrieval from URL #121

Closed alonsocamaro closed 4 years ago

alonsocamaro commented 5 years ago
Do you already have an issue opened with F5 support?

NA

ISSUE TYPE
AS3 BUILD/ VERSION
f5-appsvcs-3.12.0-5.noarch
BIGIP VERSION
Main Package
  Product     BIG-IP
  Version     14.1.0.1
  Build       0.0.7
  Edition     Point Release 1
  Date        Tue Jan 15 19:49:59 PST 2019
SUMMARY

In cloud environments where automation is involved using a network HSM solves the problem of avoiding to store the private keys securely in a repository and accelerates the performance of a VE.

Additionally, when doing automation it is convenient to be able to download a cert from a URL similarly how downloading a WAF policy is done.

focrensh commented 5 years ago

It is possible today to retrieve cert/key via url.

"privateKey": {"url":"https://examplerepo.com/sslkey"}

Do you have an example workflow/setup for the networkhsm.

alonsocamaro commented 5 years ago

It is possible today to retrieve cert/key via url.

"privateKey": {"url":"https://examplerepo.com/sslkey"}

Thanks the comment

alonsocamaro commented 5 years ago

Do you have an example workflow/setup for the networkhsm.

A private key that is extored in a NetworkHSM looks very similar to a regular, key the only difference is the security type:

sys file ssl-key star.f5bddemos.io.key {
    checksum SHA1:514:7b15958a2b4ad7b79582eda0345fe49bffecad68
    create-time 2019-08-19:08:47:12
    created-by bddemoadm
    key-size 2048
    last-update-time 2019-08-19:08:47:12
    mode 33184
    revision 1
    security-type nethsm
    size 514
    source-path none
    updated-by bddemoadm
}

From my point of view Network HSM configuration should be out of scope of AS3 and should be done in DO instead (I already did create a RFE for this time ago).

For reference the corresponding cert, is just a regular cert:

sys file ssl-cert star.f5bddemos.io.crt {
    certificate-key-size 2048
    checksum SHA1:2166:9d093aa5b05b68d2b7aee7c49b16e7a074dfb875
    create-time 2019-08-19:08:48:14
    created-by bddemoadm
    expiration-date 1596758399
    expiration-string "Aug  6 23:59:59 2020 GMT"
    fingerprint SHA256/32:87:7A:25:12:2B:1F:2C:A6:F9:1C:5F:14:57:B8:8A:59:ED:2C:51:F1:F4:75:A6:FA:7B:07:60:5A:CA:BB:BE
    issuer "CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB"
    key-type rsa-public
    last-update-time 2019-08-19:08:48:14
    mode 33188
    revision 1
    serial-number 66:dd:19:b4:8b:7a:98:92:ae:8a:bc:80:4a:87:f9:fb
    size 2166
    source-path none
    subject "CN=*.f5bddemos.io,OU=EssentialSSL Wildcard,OU=Domain Control Validated"
    subject-alternative-name "DNS:*.f5bddemos.io, DNS:f5bddemos.io"
    updated-by bddemoadm
    version 3
}

This SSL key is used like any other regular SSL key.

Does this comment answer your question fully?

Thanks Forrest

alonsocamaro commented 5 years ago

It is possible today to retrieve cert/key via url.

"privateKey": {"url":"https://examplerepo.com/sslkey"}

I'm experiencing the same error as downloading WAF policies


Wed, 21 Aug 2019 14:05:01 GMT - severe: [appsvcs] {"message":"GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"error"}
Wed, 21 Aug 2019 14:05:01 GMT - severe: [appsvcs] {"message":"Unable to fetch value. GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"error"}
Wed, 21 Aug 2019 14:05:01 GMT - warning: [appsvcs] {"message":"unable to digest declaration. Error: Unable to fetch value. GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"warning"}
markchart commented 5 years ago

The error messages you reproduce show that AS3 cannot validate the TLS certificate your server (gitlab.xx.yy.zz) is presenting, so AS3 refuses to make the TLS connection to process the request. Try adding the appropriate root CA cert to the iControl-LX (nodejs) trust store. If your server's certificate is self-signed, simply add a copy of it to the trust store.

You might consider opening an AS3 feature request for an option to ignore server certificate validity when an AS3 declaration fetches data from a URL. Ideally one could change the overall default setting in "class": "AS3" with something like "fetchAllowAnyCert": "true" (default "false", of course) and also change the setting on a per-request basis with something like

"url": {
    "allowAnyCert": "true",
    "url": "https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt"
}

To make the latter work, each instance of "url" in the AS3 schema would become polymorphic: when the value is just a string, that string is the URL, and when the value is an object, that object contains the URL string and optionally a value for allowAnyCert which would default to false. These changes would be easy to make because AS3's internal code for fetching stuff from URL's already has an option to allow any server cert (AS3 uses that option when talking to localhost iControl REST on a BIG-IP with a self-signed cert).

pzolo85 commented 4 years ago

here is a workaround; https://github.com/F5Networks/f5-appsvcs-extension/issues/170#issuecomment-554014096

dstokesf5 commented 4 years ago

Closing for inactivity. Furthermore, #170 has been completed.