citrix / terraform-provider-citrixadc

Part of NetScaler Automation Toolkit | https://github.com/netscaler/automation-toolkit
https://registry.terraform.io/providers/citrix/citrixadc
Apache License 2.0
119 stars 59 forks source link

[Question]: How to use `citrixadc_sslcertfile` resource #1136

Closed joachimBurket closed 7 months ago

joachimBurket commented 7 months ago

Hi,

Sorry if it's not the way to ask a question about the provider, I couldn't find how to do it.

I'm trying to upload my certificate file, using citrixadc_sslcertfile resource, but I'm not sure how it works.

I put the certificates in a certificates folder in my repository, and try to create a sslcertfile with:

resource "citrixadc_sslcertfile" "my_cert" {
  name = "my_cert_2024"
  src = "local://certificates/my_cert_2024.cer"
}

But I got the following error while trying to create the resource:

│ Error: [ERROR] nitro-go: Failed to apply action on resource of type sslcertfile,  action=import err=failed: 599 Netscaler specific error ({ "errorcode": 3206, "message": "Problem in importing the object. Please check the DNS NameServer\/Route settings and try again. For more details see \/var\/log\/ns.log file", "severity": "ERROR" })
│ 
│   with citrixadc_sslcertfile.my_cert_2024,
│   on main.tf line 14, in resource "citrixadc_sslcertfile" "my_cert_2024":
│   14: resource "citrixadc_sslcertfile" "my_cert_2024" {

Citrix ADC version: NS14.1 17.38.nc OS Version: RHEL 9.3 Terraform version: v1.6.2 Citrix ADC provider version: v1.37.0

sumanth-lingappa commented 7 months ago

Hello @joachimBurket, thank you for posting your question here. This is the right way to ask/discuss something related to this provider

In netscaler terms, local: means /var/tmp/ directory.

if you say local://certificates/my_cert_2024.cer, that means, the netscaler will look my_cert_2024.cer file in /var/tmp/certificates/ directory in the netscaler

the double-slash // after local: is not mandatory. Meaning local:, local:/, local:// all mean the same.

pro tip: If you have the certificate file in your local system, you can use [systemfile[(https://registry.terraform.io/providers/citrix/citrixadc/latest/docs/resources/systemfile) resource to copy the .cer to /var/tmp/certificates/ directory first

For more reference, you can find the below example used in the netscaler.adc ansible collection https://github.com/netscaler/ansible-collection-netscaleradc/blob/main/examples/sslcertfile.yaml

joachimBurket commented 7 months ago

Hi @sumanth-lingappa ! Thanks for your quick answer!

Is it possible to directly upload the certificate to /nsconfig/ssl, and then use it in a citrixadc_sslcertkey, or do I need to pass by a citrixadc_sslcertfile?

For example, can I do the following?

resource "citrixadc_systemfile" "my_cert_2024_cer" {
  filename = "my_cert_2024.cer"
  filelocation = "/nsconfig/ssl"
  filecontent = file("${path.module}/certificates/my_cert_2024.cer")
}

resource "citrixadc_systemfile" "my_cert_2024_key" {
  filename = "my_cert_2024.key"
  filelocation = "/nsconfig/ssl"
  filecontent = file("${path.module}/certificates/my_cert_2024.key")
}

resource "citrixadc_sslcertkey" "my_cert" {
  certkey = "my_cert"
  cert = "/nsconfig/ssl/my_cert_2024.cer"
  key = "/nsconfig/ssl/my_cert_2024.key"
  expirymonitor = "DISABLED"
}
sumanth-lingappa commented 7 months ago

Yes, you can directly upload the certficate to /nsconfig/ssl using citrixadc_systemfile resource and use citrixadc_sslcertkey resource.

You don't need to mention /nsconfig/ssl/ in cert and key parameter if the .cer and .key files are in /nsconfig/ssl directory. The NetScaler by default will look for these files in /nsconfig/ssl directory.

So your simplified resource looks like

resource "citrixadc_sslcertkey" "my_cert" {
  certkey = "my_cert"
  cert = "my_cert_2024.cer"
  key = "my_cert_2024.key"
  expirymonitor = "DISABLED"
}
joachimBurket commented 7 months ago

Thanks again, this is working as expected :)