Closed alonsocamaro closed 4 years ago
It is possible today to retrieve cert/key via url.
"privateKey": {"url":"https://examplerepo.com/sslkey"}
Do you have an example workflow/setup for the networkhsm.
It is possible today to retrieve cert/key via url.
"privateKey": {"url":"https://examplerepo.com/sslkey"}
Thanks the comment
Do you have an example workflow/setup for the networkhsm.
A private key that is extored in a NetworkHSM looks very similar to a regular, key the only difference is the security type:
sys file ssl-key star.f5bddemos.io.key {
checksum SHA1:514:7b15958a2b4ad7b79582eda0345fe49bffecad68
create-time 2019-08-19:08:47:12
created-by bddemoadm
key-size 2048
last-update-time 2019-08-19:08:47:12
mode 33184
revision 1
security-type nethsm
size 514
source-path none
updated-by bddemoadm
}
From my point of view Network HSM configuration should be out of scope of AS3 and should be done in DO instead (I already did create a RFE for this time ago).
For reference the corresponding cert, is just a regular cert:
sys file ssl-cert star.f5bddemos.io.crt {
certificate-key-size 2048
checksum SHA1:2166:9d093aa5b05b68d2b7aee7c49b16e7a074dfb875
create-time 2019-08-19:08:48:14
created-by bddemoadm
expiration-date 1596758399
expiration-string "Aug 6 23:59:59 2020 GMT"
fingerprint SHA256/32:87:7A:25:12:2B:1F:2C:A6:F9:1C:5F:14:57:B8:8A:59:ED:2C:51:F1:F4:75:A6:FA:7B:07:60:5A:CA:BB:BE
issuer "CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB"
key-type rsa-public
last-update-time 2019-08-19:08:48:14
mode 33188
revision 1
serial-number 66:dd:19:b4:8b:7a:98:92:ae:8a:bc:80:4a:87:f9:fb
size 2166
source-path none
subject "CN=*.f5bddemos.io,OU=EssentialSSL Wildcard,OU=Domain Control Validated"
subject-alternative-name "DNS:*.f5bddemos.io, DNS:f5bddemos.io"
updated-by bddemoadm
version 3
}
This SSL key is used like any other regular SSL key.
Does this comment answer your question fully?
Thanks Forrest
It is possible today to retrieve cert/key via url.
"privateKey": {"url":"https://examplerepo.com/sslkey"}
I'm experiencing the same error as downloading WAF policies
Wed, 21 Aug 2019 14:05:01 GMT - severe: [appsvcs] {"message":"GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"error"}
Wed, 21 Aug 2019 14:05:01 GMT - severe: [appsvcs] {"message":"Unable to fetch value. GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"error"}
Wed, 21 Aug 2019 14:05:01 GMT - warning: [appsvcs] {"message":"unable to digest declaration. Error: Unable to fetch value. GET https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt for /cis/RoutingVIP/webcert/certificate failed (unable to verify the first certificate)","level":"warning"}
The error messages you reproduce show that AS3 cannot validate the TLS certificate your server (gitlab.xx.yy.zz
) is presenting, so AS3 refuses to make the TLS connection to process the request. Try adding the appropriate root CA cert to the iControl-LX (nodejs) trust store. If your server's certificate is self-signed, simply add a copy of it to the trust store.
You might consider opening an AS3 feature request for an option to ignore server certificate validity when an AS3 declaration fetches data from a URL. Ideally one could change the overall default setting in "class": "AS3"
with something like "fetchAllowAnyCert": "true"
(default "false"
, of course) and also change the setting on a per-request basis with something like
"url": {
"allowAnyCert": "true",
"url": "https://gitlab.xx.yy.zz/moad/moad-publish/raw/master/certs/star.f5bddemos.io.crt"
}
To make the latter work, each instance of "url"
in the AS3 schema would become polymorphic: when the value is just a string, that string is the URL, and when the value is an object, that object contains the URL string and optionally a value for allowAnyCert
which would default to false
. These changes would be easy to make because AS3's internal code for fetching stuff from URL's already has an option to allow any server cert (AS3 uses that option when talking to localhost
iControl REST on a BIG-IP with a self-signed cert).
here is a workaround; https://github.com/F5Networks/f5-appsvcs-extension/issues/170#issuecomment-554014096
Closing for inactivity. Furthermore, #170 has been completed.
Do you already have an issue opened with F5 support?
NA
ISSUE TYPE
AS3 BUILD/ VERSION
BIGIP VERSION
SUMMARY
In cloud environments where automation is involved using a network HSM solves the problem of avoiding to store the private keys securely in a repository and accelerates the performance of a VE.
Additionally, when doing automation it is convenient to be able to download a cert from a URL similarly how downloading a WAF policy is done.