search

F5Networks / terraform-provider-bigip

Terraform resources that can configure F5 BIG-IP products
https://registry.terraform.io/providers/F5Networks/bigip/latest/docs
Mozilla Public License 2.0
103 stars 119 forks source link

Cannot assign non-RSA (ECC) certificate and key to client ssl profile #839

Open gliwka opened 1 year ago

gliwka commented 1 year ago

Environment

Summary

I'm trying to use terraform to create client-ssl profiles like this:

variable "tls_domains_dev" {
  type    = list(string)
  default = ["example.com", "example.org"]
}

resource "bigip_ltm_profile_client_ssl" "client_ssl_dev" {
  for_each      = toset(var.tls_domains_dev)
  name          = "/Common/${each.key}"
  defaults_from = "/Common/company-default"
  key           = "/Common/auto_le_${each.key}.key"
  cert          = "/Common/auto_le_${each.key}.crt"
}

When I use RSA certificates/keys, everything works fine. However, when I attempt the same with ECC certificates, it fails with the following error message:

 Error: HTTP 400 :: {"code":400,"message":"01b40029:3: Client SSL profile (/Common/example.org): /Common/example.org.key is not RSA key. To add non-RSA cert/key, please use [cert-key-chain add].","errorStack":[],"apiError":3}
│ 
│   with bigip_ltm_profile_client_ssl.client_ssl_dev["example.org"],
│   on dev.tf line 47, in resource "bigip_ltm_profile_client_ssl" "client_ssl_dev":
│   47: resource "bigip_ltm_profile_client_ssl" "client_ssl_dev" {

It works using the WebUI, but fails with the terraform provider.

Expected Behavior

RSA Keys and ECC keys behave the same. From a user perspective, there should be no difference in using this provider.

Actual Behavior

Terraform fails to apply the changes with the error above.

pgouband commented 1 year ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1254.