search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
169 stars 54 forks source link

AS3 Not honoring certificate profile setting changes #725

Closed k9themartian closed 1 year ago

k9themartian commented 1 year ago

Environment

Summary

For a Tenant re-deployment for a certificate profile change that updates which key/certificates to use, It would appear the request to update that certificate profile is not being honored. Nor are any error messages being generated to note a problem exists. F5: For specifics, see case number 00404319

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration to an already configured tenant. In this case changing from v1 to v2 of a CA based certificate:

    ...
                "www.bobscheesehouse.com_certificate": {
                    "certificate": {
                        "bigip": "/Common/bobs-cheesehouse-muliti-san-v2"
                    },
                    "chainCA": {
                        "bigip": "/Common/EntrustL1Kchain.crt"
                    },
                    "class": "Certificate",
                    "privateKey": {
                        "bigip": "/Common/bobs-cheesehouse-muliti-san-v2"
                    },
                    "remark": "Bob's Cheesehouse Emporium SAN"
                },
                "www.bobscheesehouse.com_client_ssl": {
                    "certificates": [
                        {
                            "certificate": "www.bobscheesehouse.com_certificate",
                            "enabled": true
                        }
                    ],
                    "ciphers": "@STRENGTH:ECDHE+AES-GCM:ECDHE+AES+SHA384:ECDHE+AES+SHA256",
                    "class": "TLS_Server",
                    "remark": "Bob's Cheesehouse Emporium SAN",
                    "smtpsStartTLS": "require"
                },
                "enable": true,
                "template": "shared"
            }
...
}

  2. Observer that the BIGIP accepts the change, and does not give any errors towards it. However the running configuration of the BIGIP does not show the tenant's client-ssl profile as being updated from v1 to v2 of the certificate/key. This seems to be sporadic. We had Four (4) tenants that we adjusted last night and only 2 took the change. Three attempts later and we had one persistently not taking the change but eventually 3 of the 4 did.

Expected Behavior

After the declaration - we would expect to see in the running config of the F5 the client-ssl profile updated to use v2.

Actual Behavior

no actual change occurs. The V1 client/cert declarations remained. Sometimes it would update fine. Sometimes not. Re-running the same AS3 declaration sometimes gets the F5 BIGIP to adjust it.

k9themartian commented 1 year ago

While not totally related, we noticed that one of the other servers was having a similar problem. We turned the log level up and found that the actual problem was the reported error was in the wrong level for errors. It was in info instead. So perhaps the issue is whatever is causing the problem is reporting it but at a log level different then error or above. We will modify our template to include the following:

"logLevel": "info",

    "trace": false,

Example of the log we found where the error was reported as info - and as such our template decided in GIT that all was fine after deployment:

Wed, 10 May 2023 16:53:11 GMT - warning: [appsvcs] {"message":"unable to digest declaration. Error: Unable to find /Common/dns_resolver for /cheese_proxy/Shared/explicit_proxy_http_profile/resolver","level":"warning"}
Wed, 10 May 2023 16:53:11 GMT - info: [appsvcs] {"message":"Error: Unable to find /Common/dns_resolver for /cheese_proxy/Shared/explicit_proxy_http_profile/resolver","level":"info"}
sunitharonan commented 1 year ago

Closing this case as parent SR case 00404319 has been closed. Thanks.