search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
163 stars 52 forks source link

wildcard cn not allowed as hostname #825

Closed adpuser98 closed 2 weeks ago

adpuser98 commented 2 months ago

Environment

Summary

We want to migrate a serverssl profile from tmos to AS3

TMOS config: ltm profile server-ssl wildcard.test.si.global.amadeus.net_serverssl { app-service none authenticate-name *.test.si.global.amadeus.net ca-file /Common/Amadeus_Root_CA_1_root defaults-from /Common/serverssl peer-cert-mode require }

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:

    
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "dry-run",
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.45.0",
    "id": "urn:uuid:61951a86-28cd-4e8e-acd1-8214c0040874",
    "label": "Converted Declaration",
    "remark": "Generated by Automation Config Converter",
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "wildcard.test.si.global.amadeus.net_serverssl": {
                "serverName": "*.test.si.global.amadeus.net",
                "validateCertificate": true,
                "trustCA": {
                    "bigip": "/Common/Amadeus_Root_CA_1_root"
                },
                "class": "TLS_Client",
                "tls1_0Enabled": false,
                "tls1_1Enabled": false,
                "tls1_2Enabled": true,
                "tls1_3Enabled": false,
                "singleUseDhEnabled": false,
                "insertEmptyFragmentsEnabled": true
            }
        }
    }
}
}

  2. Observe the following error response:

    
{
"id": "1e7bb3bf-cf6f-4bcb-a8f3-8336756e48ba",
"results": [
    {
        "code": 422,
        "errors": [
            "/Common/Shared/wildcard.test.si.global.amadeus.net_serverssl/serverName: should match format \"hostname\""
        ],
        "declarationFullId": "",
        "message": "declaration is invalid",
        "declarationId": "urn:uuid:61951a86-28cd-4e8e-acd1-8214c0040874"
    }
],
"declaration": {}
}

Expected Behavior

The serverssl profile should be created with the wildcard domain name since this is a valid option for certificates

Actual Behavior

The * in the domain name is not permitted.

mdditt2000 commented 2 weeks ago

@adpuser98 i would like to look into this issue tomorrow. Do you have sometime for a zoom call. Please email me at automation_toolchain_pm@f5.com

adpuser98 commented 2 weeks ago

Hello Mark, i have checked this yesterday with one of the guys from F5 professional services. They mentioned that * is not allowed in AS3 code. So in order to go ahead we will add fqdn "wildcard.test.si.global.amadeus.net" in the certificate SAN field and change the server name to this value. This will solve our issue without having to wait for a possible code change.

adpuser98 commented 2 weeks ago

workaround applied.