search

colin-stubbs / dehydrated-bigip

F5 BIG-IP hook for dehydrated based Let's Encrypt interactions
GNU General Public License v3.0
10 stars 1 forks source link

Certs renewed locally; but not pushing to LTMs #9

Open hildebrau opened 5 years ago

hildebrau commented 5 years ago

I noticed my certs are showing new expiration dates on our F5 LTM. These two obfuscated certs show "Nov 29, 2018" as the expiration on the LTM. What am I missing? The script originally placed the certs on there just fine; but it doesn't seem to be able to update them.

I manually ran the dehydrated cronjob command:

# test -s /etc/dehydrated/config && test -s /etc/dehydrated/domains.txt && /usr/bin/dehydrated --cron --hook /etc/dehydrated/hooks/dehydrated-bigip-dns-01
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
Processing blahpro.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jan 29 05:10:43 2019 GMT (Longer than 30 days). Skipping renew!
Processing blahconfigservice.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jan 29 05:11:23 2019 GMT (Longer than 30 days). Skipping renew!

As you can see, it thinks the certs are valid until Jan 29, 2019; so it has nothing to do. Somewhere along the line it forgot to update the LTM. I have until 11/29 before this blows up on me.

Please point me in the right direction. I'll keep digging as time permits and will update this ticket if I make any progress.

Thank you!

hildebrau commented 5 years ago

So, I just did a cat on /etc/dehydrated/certs/blahconfigservice.domain.com/cert.pem And "imported" that into the LTM by pasting it into the dialog box. That seemed to renew it through January.

I couldn't "debug" why it couldn't automate that step since the script just sees the cert is already renewed, so it doesn't seem to attempt to update the LTM. I'll have to catch it on the fly.

Are there execution logs saved somewhere from these cronjobs?

Sander-agfa commented 5 years ago

Execurtion logs are saved in /var/log/dehydrated-bigip*.log You might find some clues there why the upload failed. You can redeploy the certificates by using the "dehydrated-bigip-redeploy-traffic-certificate" hook in stead of the "dehydrated-bigip-deploy-traffic-certificate".

Actually checking the cert uploaded on the F5 in that hook might be a good idea, so you can always use this hook and then only re-upload if the cert is not properly installed on the F5. Will see if we can program this in.

Sander-agfa commented 5 years ago

The latest commit in #10 fixes this. the "redeploy" can be scheduled now too, without creating too much overhead. this mitigates issues where a deployment fails due to a temporary error.

hildebrau commented 5 years ago

@Sander-agfa : I just cloned this project from your repo, so I believe I have all of your latest commits. I'm still having an issue where the /etc/dehydrated/certs/ has updated certs (from March 6th), but my F5 is refusing the updates.

The REST call to upload the cert to /var/config/rest/downloads/ on the F5 works. The file gets there.

Then the next step to install it runs via something like this:

/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user 'user:password' https://f5host.name.com/mgmt/tm/sys/crypto/cert -X POST -d '{ "command": "install", "name": "/Common/example.domain.com.crt", "from-local-file": "/var/config/rest/downloads/example.domain.com.crt" }'

The F5 responds with: {"code":404,"message":"The requested cert(/Common/example.domain.com.crt) already exists in this scope.","errorStack":[]}

It's like we need to use a "modify" command instead of an "install" command.

I didn't quite understand what you changed and whether it should fix this problem or not. Perhaps I'm in a unique state where the cert was downloaded successfully with the older branch and then your branch can't kick it in gear properly?

Thank you!

hildebrau commented 5 years ago

@Sander-agfa As mentioned previously, I cloned your master version. I've been trying to debug it.

I added set -x to line 3 of dehydrated-bigip-redeploy-traffic-certificate

I set the dehydrated-bigip-hookscript to use lexicon and to use dehydrated-bigip-redeploy-traffic-certificate. I didn't see any updated documentation about this new script of yours; but I assumed some things here.

I then ran this: bash -x /usr/bin/dehydrated --cron --hook /etc/dehydrated/hooks/dehydrated-bigip-hookscript

It ended with this (after I removed some sed escape back slashes that I mentioned in a comment in your code diffs):

++++ echo '{"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"example.domain.com","partition":"Common","fullPath":"/Common/example.domain.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~example.domain.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/example.domain.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/example.domain.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/example.domain.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"example.domain.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"example.domain.com_example.domain.com-CHAIN","cert":"/Common/example.domain.com.crt","chain":"/Common/example.domain.com-CHAIN.crt","key":"/Common/example.domain.com.key"}]}'
++++ jsonq '["certReference"]["link"]'
++++ python -c 'import sys,json; input=json.load(sys.stdin); print input["certReference"]["link"]'
++++ sed -E -s 's|https://[a-zA-Z0-9\-\.]*/mgmt/|/|'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
KeyError: 'certReference'
+++ CERTLINK=
+++ log 'getClientSSLProfile() CERTLINK: '
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/10/2019:14:43:15 getClientSSLProfile() CERTLINK: '
++++ echo x
+++ '[' x '!=' x ']'
+++ log 'SSL cert link not found, return empty'
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/10/2019:14:43:15 SSL cert link not found, return empty'
+++ return 2
++ REMOTEHASH=
+ remove_lock
+ rm -f /run/dehydrated/lock

It looks like my current cert has no serial number or certReference/link. It just returns 2 and exits. How do you envision this working when this doesn't exist yet? What would make it exist?

Thank you!

Sander-agfa commented 5 years ago

Hello @hildebrau, thanks for the feedback. I had indeed not gotten round yet to writing the documentation for this, that's next on the list. Have not run into this bug above yet, will try to look into it later today or tomorrow to see how I can reproduce and remedy this in the code. I'll check back if I need more info.

Sander-agfa commented 5 years ago

@hildebrau just another thought: What version of LTM are you running? Maybe this is a difference in API between versions.

hildebrau commented 5 years ago

I'm currently running BIG-IP 11.6.2 Build 1.0.507 Hotfix HF1. I've had a terrible time finding appropriate documentation for the iControl REST API that these scripts are utilizing.

I'm obviously interested in getting to the bottom of this. Preferably before my cert expires again in early April. ;)

Sander-agfa commented 5 years ago

We're running BIG-IP 12.1.3.7 so that might explain the difference. It does have a reference to the "cert", so i'll try to see if that can be caught and used.

As for finding API documentation: I also had no luck ;) It was just trial and error for me, testing on a dev F5 unit to just try and see what you can get :( ;)

Sander-agfa commented 5 years ago

Then the next step to install it runs via something like this:

/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user 'user:password' https://f5host.name.com/mgmt/tm/sys/crypto/cert -X POST -d '{ "command": "install", "name": "/Common/example.domain.com.crt", "from-local-file": "/var/config/rest/downloads/example.domain.com.crt" }'

The F5 responds with: {"code":404,"message":"The requested cert(/Common/example.domain.com.crt) already exists in this scope.","errorStack":[]}

It's like we need to use a "modify" command instead of an "install" command.

The v12 version of BIG-IP updates the certs without issue as long as the key is the same, don't have a v11 unit here to test this against.

What might be a fix for you is renaming the certificates with a timestamp. If you look in your conf.d file where you also configure the F5 hostnames etc, have you configured timestamping?

Perhaps consider setting it to 1 to try if this works and circumvents the issue? TIMESTAMP_NAME='1'

hildebrau commented 5 years ago

I added timestamp setting and ran the hook script again but no noticable change in behavior.

The cert query from the F5 returns json, but no mention of the certlink. Unless that's the URL to the cert? Is it looking for a thumbnail/serial or what?

Sander-agfa commented 5 years ago

The certlink in v12 is indeed a link to the certificate, so it can get the serial number. But this has nothing to do with the " already exists in this scope" error, that seems like a totally different API in v11, was hoping the timestamp would fix that :)

Sander-agfa commented 5 years ago

@hildebrau, as I don't have access to a v11 system, can you provide some output from yours? There are two issues at play here:

1) v11 doesn't seem to have the "certlink" reference in its response. Is only needed for checking the current deplyment, and not needed for rollout. Can be fixed, but will not help you ultimately.

2) if you have the timestamping in the filename on, the script should try to upload the file with a different filename. Can you comment out the "return 2" statement in the "getCurrentCertSerialNumber" function (in common) for now, and post some output on how that looks like now? That should normally work, as the rollout is the same as the initial one.

hildebrau commented 5 years ago

Sorry for the delay. I still have bash debugs enabled, and I added a "echo skipping" in front of the "return 2" line that you requested that I comment out.

Here is the entire obfuscated output. Sorry for the length.

[root@corpadmin3 hooks]# 
[root@corpadmin3 hooks]# bash -x /usr/bin/dehydrated --cron --hook /etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ set -e
+ set -u
+ set -o pipefail
+ [[ -n '' ]]
+ [[ -z '' ]]
+ shopt -s nullglob
+ set -f
+ umask 077
+ exec
+ exec
+ VERSION=0.6.2
+ SOURCE=/usr/bin/dehydrated
+ '[' -h /usr/bin/dehydrated ']'
+++ dirname /usr/bin/dehydrated
++ cd -P /usr/bin
++ pwd
+ SCRIPTDIR=/usr/bin
+ BASEDIR=/usr/bin
+ ORIGARGS='--cron --hook /etc/dehydrated/hooks/dehydrated-bigip-hookscript'
++ uname
+ OSTYPE=Linux
+ [[ ! '' = \N\O\O\P ]]
+ main --cron --hook /etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ COMMAND=
+ [[ -z --cron --hook /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ ((  3  ))
+ case "${1}" in
+ set_command sign_domains
+ [[ -z '' ]]
+ COMMAND=sign_domains
+ shift 1
+ ((  2  ))
+ case "${1}" in
+ shift 1
+ check_parameters /etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ [[ -z /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ [[ / = \- ]]
+ PARAM_HOOK=/etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ shift 1
+ ((  0  ))
+ case "${COMMAND}" in
+ command_sign_domains
+ init_system
+ load_config
+ [[ -z '' ]]
+ for check_config in '"/etc/dehydrated"' '"/usr/local/etc/dehydrated"' '"${PWD}"' '"${SCRIPTDIR}"'
+ [[ -f /etc/dehydrated/config ]]
+ BASEDIR=/etc/dehydrated
+ CONFIG=/etc/dehydrated/config
+ break
+ CA=https://acme-v02.api.letsencrypt.org/directory
+ OLDCA=
+ CERTDIR=
+ ACCOUNTDIR=
+ CHALLENGETYPE=http-01
+ CONFIG_D=
+ CURL_OPTS=
+ DOMAINS_D=
+ DOMAINS_TXT=
+ HOOK=
+ HOOK_CHAIN=no
+ RENEW_DAYS=30
+ KEYSIZE=4096
+ WELLKNOWN=
+ PRIVATE_KEY_RENEW=yes
+ PRIVATE_KEY_ROLLOVER=no
+ KEY_ALGO=rsa
+ OPENSSL=openssl
+ OPENSSL_CNF=
+ CONTACT_EMAIL=
+ LOCKFILE=
+ OCSP_MUST_STAPLE=no
+ OCSP_FETCH=no
+ IP_VERSION=
+ CHAINCACHE=
+ AUTO_CLEANUP=no
+ DEHYDRATED_USER=
+ DEHYDRATED_GROUP=
+ API=auto
+ [[ -z /etc/dehydrated/config ]]
+ [[ -f /etc/dehydrated/config ]]
+ echo '# INFO: Using main config file /etc/dehydrated/config'
# INFO: Using main config file /etc/dehydrated/config
++ dirname /etc/dehydrated/config
+ BASEDIR=/etc/dehydrated
+ . /etc/dehydrated/config
++ CHALLENGETYPE=dns-01
++ CONFIG_D=/etc/dehydrated/conf.d
++ HOOK=/etc/dehydrated/hooks/dehydrated-bigip-hookscript
++ PRIVATE_KEY_RENEW=no
++ CONTACT_EMAIL=my@email.com
++ LOCKFILE=/run/dehydrated/lock
+ [[ -n /etc/dehydrated/conf.d ]]
+ [[ ! -d /etc/dehydrated/conf.d ]]
+ [[ -n '' ]]
+ set +f
+ for check_config_d in '"${CONFIG_D}"/*.sh'
+ [[ -f /etc/dehydrated/conf.d/local.sh ]]
+ [[ -r /etc/dehydrated/conf.d/local.sh ]]
+ echo '# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh'
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
+ . /etc/dehydrated/conf.d/local.sh
++ unset proxy
++ unset http_proxy
++ unset https_proxy
++ unset ftp_proxy
++ unset no_proxy
++ BIGIP_DEVICE_LIST=bigip1.example.com
++ BIGIP_USERNAME=admin
++ BIGIP_PASSWORD='pwremoved'
++ BIGIP_PARTITION=Common
++ BIGIP_CLIENT_SSL_MANAGE=1
++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++ TIMESTAMP_NAME=1
++ OCSP_STAPLE=1
++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++ BIGIP_SAVE_CONFIG=1
++ LEXICON_PROVIDER=nsone
++ LEXICON_ARGS='--auth-token tokenremoved'
+ [[ -n '' ]]
+ set -f
+ [[ -n '' ]]
+ [[ -n '' ]]
+ check_dependencies
+ openssl version
+ _sed ''
+ command -v grep
+ command -v mktemp
+ command -v diff
+ set +e
++ curl -V
++ head -n1
++ awk '{print $2}'
+ CURL_VERSION=7.29.0
+ retcode=0
+ set -e
+ [[ ! 0 = \0 ]]
+ [[ /etc/dehydrated != \/ ]]
+ BASEDIR=/etc/dehydrated
+ [[ -d /etc/dehydrated ]]
+ [[ -z '' ]]
+ [[ https://acme-v02.api.letsencrypt.org/directory = \h\t\t\p\s\:\/\/\a\c\m\e\-\v\0\2\.\a\p\i\.\l\e\t\s\e\n\c\r\y\p\t\.\o\r\g\/\d\i\r\e\c\t\o\r\y ]]
+ OLDCA=https://acme-v01.api.letsencrypt.org/directory
++ echo https://acme-v02.api.letsencrypt.org/directory
++ urlbase64
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
++ openssl base64 -e
+ CAHASH=aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
+ [[ -z '' ]]
+ ACCOUNTDIR=/etc/dehydrated/accounts
+ [[ ! -e /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo ]]
+ [[ -f /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/config ]]
+ ACCOUNT_KEY=/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem
+ ACCOUNT_KEY_JSON=/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json
+ [[ -f /etc/dehydrated/private_key.pem ]]
+ [[ -f /etc/dehydrated/private_key.json ]]
+ [[ -z '' ]]
+ CERTDIR=/etc/dehydrated/certs
+ [[ -z '' ]]
+ CHAINCACHE=/etc/dehydrated/chains
+ [[ -z '' ]]
+ DOMAINS_TXT=/etc/dehydrated/domains.txt
+ [[ -z '' ]]
+ WELLKNOWN=/var/www/dehydrated
+ [[ -z /run/dehydrated/lock ]]
+ [[ -z '' ]]
++ cut '-d"' -f2
++ openssl version -d
+ OPENSSL_CNF=/etc/pki/tls/openssl.cnf
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ HOOK=/etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ '[' '!' '' = noverify ']'
+ verify_config
+ [[ dns-01 == \h\t\t\p\-\0\1 ]]
+ [[ dns-01 == \d\n\s\-\0\1 ]]
+ [[ dns-01 = \d\n\s\-\0\1 ]]
+ [[ -z /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ [[ dns-01 = \h\t\t\p\-\0\1 ]]
+ [[ rsa == \r\s\a ]]
+ [[ -n '' ]]
+ [[ auto == \a\u\t\o ]]
+ store_configvars
+ __KEY_ALGO=rsa
+ __OCSP_MUST_STAPLE=no
+ __PRIVATE_KEY_RENEW=no
+ __KEYSIZE=4096
+ __CHALLENGETYPE=dns-01
+ __HOOK=/etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ __WELLKNOWN=/var/www/dehydrated
+ __HOOK_CHAIN=no
+ __OPENSSL_CNF=/etc/pki/tls/openssl.cnf
+ __RENEW_DAYS=30
+ __IP_VERSION=
+ [[ -n /run/dehydrated/lock ]]
++ dirname /run/dehydrated/lock
+ LOCKDIR=/run/dehydrated
+ [[ -w /run/dehydrated ]]
+ trap remove_lock EXIT
++ http_request get https://acme-v02.api.letsencrypt.org/directory
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempcont=/tmp/dehydrated-qI42jY
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempheaders=/tmp/dehydrated-hFdkqH
++ [[ -n '' ]]
++ set +e
++ [[ get = \h\e\a\d ]]
++ [[ get = \g\e\t ]]
+++ curl -A 'dehydrated/0.6.2 curl/7.29.0' -L -s -w '%{http_code}' -o /tmp/dehydrated-qI42jY -D /tmp/dehydrated-hFdkqH https://acme-v02.api.letsencrypt.org/directory
++ statuscode=200
++ curlret=0
++ set -e
++ [[ ! 0 = \0 ]]
++ [[ ! 2 = \2 ]]
++ cat /tmp/dehydrated-qI42jY
++ rm -f /tmp/dehydrated-qI42jY
++ rm -f /tmp/dehydrated-hFdkqH
+ CA_DIRECTORY='{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
+ [[ auto = \a\u\t\o ]]
+ grep -q newOrder
+ API=2
+ [[ 2 -eq 1 ]]
++ get_json_string_value newOrder
++ local filter
++ printf %s '{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
+++ printf 's/.*"%s": *"\([^"]*\)".*/\\1/p' newOrder
++ filter='s/.*"newOrder": *"\([^"]*\)".*/\1/p'
++ sed -n 's/.*"newOrder": *"\([^"]*\)".*/\1/p'
+ CA_NEW_ORDER=https://acme-v02.api.letsencrypt.org/acme/new-order
++ printf %s '{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
++ get_json_string_value newNonce
++ local filter
+++ printf 's/.*"%s": *"\([^"]*\)".*/\\1/p' newNonce
++ filter='s/.*"newNonce": *"\([^"]*\)".*/\1/p'
++ sed -n 's/.*"newNonce": *"\([^"]*\)".*/\1/p'
+ CA_NEW_NONCE=https://acme-v02.api.letsencrypt.org/acme/new-nonce
++ printf %s '{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
++ get_json_string_value newAccount
++ local filter
+++ printf 's/.*"%s": *"\([^"]*\)".*/\\1/p' newAccount
++ filter='s/.*"newAccount": *"\([^"]*\)".*/\1/p'
++ sed -n 's/.*"newAccount": *"\([^"]*\)".*/\1/p'
+ CA_NEW_ACCOUNT=https://acme-v02.api.letsencrypt.org/acme/new-acct
++ get_json_string_value termsOfService
++ local filter
++ printf %s '{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
+++ printf 's/.*"%s": *"\([^"]*\)".*/\\1/p' termsOfService
++ filter='s/.*"termsOfService": *"\([^"]*\)".*/\1/p'
++ sed -n 's/.*"termsOfService": *"\([^"]*\)".*/\1/p'
+ CA_TERMS=https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
++ printf %s '{
  "E_JDbEWhu3I": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
++ get_json_string_value revokeCert
++ local filter
+++ printf 's/.*"%s": *"\([^"]*\)".*/\\1/p' revokeCert
++ filter='s/.*"revokeCert": *"\([^"]*\)".*/\1/p'
++ sed -n 's/.*"revokeCert": *"\([^"]*\)".*/\1/p'
+ CA_REVOKE_CERT=https://acme-v02.api.letsencrypt.org/acme/revoke-cert
+ CA_ACCOUNT=https://acme-v02.api.letsencrypt.org/acme/acct
+ export WELLKNOWN BASEDIR CERTDIR CONFIG COMMAND
+ register_new_key=no
+ [[ -n '' ]]
+ [[ ! -e /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem ]]
+ openssl rsa -in /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem -check
++ hex2bin
++ urlbase64
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
++ openssl base64 -e
+++ awk '/publicExponent/ {print $2}'
+++ openssl rsa -in /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem -noout -text
+++ _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g'
+++ [[ Linux = \L\i\n\u\x ]]
+++ sed -r -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g'
+++ cat
++ printf %x 65537
++ printf -- '\x01\x00\x01'
+ pubExponent64=AQAB
++ urlbase64
++ openssl rsa -in /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem -noout -modulus
++ cut -d= -f2
++ hex2bin
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
++ openssl base64 -e
+++ cat
+++ _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g'
+++ [[ Linux = \L\i\n\u\x ]]
+++ sed -r -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g'
++ printf -- '\xB2\x89\x85\x6E\xE4\x19\x6F\x32\x65\xE6\x2F\x77\x35\x3D\x88\xC8\xAA\xC4\x31\x99\xFE\xE3\x5F\xBD\x02\xBF\x80\x28\x1B\x2E\xA2\xD4\x95\x98\x0F\xDF\x5F\xF3\xF8\x14\xD2\x55\x58\xDF\x6C\x17\x46\xFD\x55\xD4\xBA\xA6\x2B\xD1\x19\xD7\xE3\x36\x8A\x31\x8F\x43\x68\xC8\xFE\x6A\xFC\xC2\xE7\x9D\x6A\xBF\x14\x23\x6B\xF6\xD9\x58\x0A\xB4\xCD\xAC\xEB\xE7\x1A\xF6\x57\xB9\xB0\x21\x0B\x20\x15\xF8\xB3\x7E\xD5\x35\x99\xD0\x3B\xFF\x44\x4A\x2A\xC6\x6D\xD4\xF8\xCA\xFC\x56\x24\xE4\xFF\xA5\xFA\xCB\x13\x67\xD8\x41\xB7\xD2\x59\xD2\xBC\x49\x7E\x41\xCC\xB2\xEC\xD4\x1B\x34\xE2\x65\x64\xA7\xC0\x4C\xB4\x47\xF8\x8F\xD9\x79\xF7\x8A\xCC\xDF\xC1\x3E\xE7\xD5\x3C\x7E\x6E\xAA\x55\xCF\xF0\x87\xFB\x8A\x9B\x62\xE5\x45\x0C\xA1\x33\x0D\x25\x73\xC5\x1F\x15\xD3\x2E\x81\x20\xEF\x84\x83\x2F\xD5\x82\x57\x48\xF4\x5C\xFC\xF4\x2B\xB1\x4B\xB5\x54\xCE\x0A\x11\xB9\x71\xDF\x54\xDF\xA8\x5B\x73\xB8\x85\xD3\xC7\xFB\xEE\x1B\x62\x00\x18\xCE\x59\x24\x57\xB2\xF7\x6C\x4D\x5B\x3D\xE3\x2C\x5D\xDC\xFA\x46\x66\x9B\xCB\xB7\x19\x2F\xD6\xCB\x27\x8D\xDF\x8A\xE1\x8E\xBA\x0A\xDB\x08\x2B\x8B\x4E\x5A\x49\x61\x8A\x7C\xC7\x86\x40\x75\xAA\x09\xB9\x2B\x50\x2E\x66\xA1\x8B\x7B\x17\xCD\x96\xAA\x3A\x0F\x9D\xDD\x05\x5A\x5F\x4E\x03\xB1\x04\x4B\x64\x4B\xC4\x58\x30\xBF\xE5\x36\x01\xBE\xF1\xC1\x4A\x5A\xA7\xB9\xE1\x91\x6C\x85\x1E\x07\xC6\x51\xF8\x09\x68\x46\xDA\x4A\x5F\xF6\x94\xB7\x7A\x0A\x66\xAB\x32\x6D\x97\xFC\x97\xE1\x36\x37\x0A\x87\xC4\x36\x1F\xB8\xC9\x77\x06\x9B\x2D\x6D\xDB\xF2\xD5\xE8\x79\xA0\x38\x16\x7E\x8A\xF4\xFF\x59\x25\x5B\x96\xB2\xF8\x75\x56\xE2\xE2\xAE\xEB\x68\x20\xB9\x90\x48\x28\x36\x3E\xB6\x34\x54\x71\x5E\x89\xC5\x66\xC8\x31\x83\xC3\xAC\x20\x0E\x8F\xB6\xC5\x98\xEB\x8F\x8F\x9A\x1C\x25\x4A\xAE\x41\x91\x02\xE1\x2E\x71\x1F\xE7\xC7\xFE\xCE\xF2\xF8\xE2\x4E\x50\xF1\x1D\x3A\xDE\x11\xE1\x8F\x1B\x57\x34\x2F\x6A\x5B\xB8\x32\x62\x9F\xBF\x64\xC5\xCF\x60\xCA\xFE\x2B\xCD\xA3\x1C\x8E\x3B\xC8\x0C\x38\x17\x7E\xE1\xB8\xB1\x42\xA8\x05\x45\x59\x7B\xE3\x6D\xFE\x70\xD0\x8C\xF6\x7F\xAC\xD3\x29\xF8\x08\x71\xF5\x77\x33\xA7\x91\x69\xF7\x8C\x34\xCA\x4B\xBB\x24\xE4\xF7\x3A\x60\x65\xAF\xEC\xB2\x4C\xEA\xF4\xEB\x57\x47\xBD'
+ pubMod64=somFbuQZbzJl5i93NT2IyKrEMZn-41-9Ar-AKBsuotSVmA_fX_P4FNJVWN9sF0b9VdS6pivRGdfjNooxj0NoyP5q_MLnnWq_FCNr9tlYCrTNrOvnGvZXubAhCyAV-LN-1TWZ0Dv_REoqxm3U-Mr8ViTk_6X6yxNn2EG30lnSvEl-Qcyy7NQbNOJlZKfATLRH-I_ZefeKzN_BPufVPH5uqlXP8If7ipti5UUMoTMNJXPFHxXTLoEg74SDL9WCV0j0XPz0K7FLtVTOChG5cd9U36hbc7iF08f77htiABjOWSRXsvdsTVs94yxd3PpGZpvLtxkv1ssnjd-K4Y66CtsIK4tOWklhinzHhkB1qgm5K1AuZqGLexfNlqo6D53dBVpfTgOxBEtkS8RYML_lNgG-8cFKWqe54ZFshR4HxlH4CWhG2kpf9pS3egpmqzJtl_yX4TY3CofENh-4yXcGmy1t2_LV6HmgOBZ-ivT_WSVblrL4dVbi4q7raCC5kEgoNj62NFRxXonFZsgxg8OsIA6PtsWY64-PmhwlSq5BkQLhLnEf58f-zvL44k5Q8R063hHhjxtXNC9qW7gyYp-_ZMXPYMr-K82jHI47yAw4F37huLFCqAVFWXvjbf5w0Iz2f6zTKfgIcfV3M6eRafeMNMpLuyTk9zpgZa_sskzq9OtXR70
++ openssl dgst -sha256 -binary
++ urlbase64
++ printf '{"e":"%s","kty":"RSA","n":"%s"}' AQAB somFbuQZbzJl5i93NT2IyKrEMZn-41-9Ar-AKBsuotSVmA_fX_P4FNJVWN9sF0b9VdS6pivRGdfjNooxj0NoyP5q_MLnnWq_FCNr9tlYCrTNrOvnGvZXubAhCyAV-LN-1TWZ0Dv_REoqxm3U-Mr8ViTk_6X6yxNn2EG30lnSvEl-Qcyy7NQbNOJlZKfATLRH-I_ZefeKzN_BPufVPH5uqlXP8If7ipti5UUMoTMNJXPFHxXTLoEg74SDL9WCV0j0XPz0K7FLtVTOChG5cd9U36hbc7iF08f77htiABjOWSRXsvdsTVs94yxd3PpGZpvLtxkv1ssnjd-K4Y66CtsIK4tOWklhinzHhkB1qgm5K1AuZqGLexfNlqo6D53dBVpfTgOxBEtkS8RYML_lNgG-8cFKWqe54ZFshR4HxlH4CWhG2kpf9pS3egpmqzJtl_yX4TY3CofENh-4yXcGmy1t2_LV6HmgOBZ-ivT_WSVblrL4dVbi4q7raCC5kEgoNj62NFRxXonFZsgxg8OsIA6PtsWY64-PmhwlSq5BkQLhLnEf58f-zvL44k5Q8R063hHhjxtXNC9qW7gyYp-_ZMXPYMr-K82jHI47yAw4F37huLFCqAVFWXvjbf5w0Iz2f6zTKfgIcfV3M6eRafeMNMpLuyTk9zpgZa_sskzq9OtXR70
++ openssl base64 -e
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
+ thumbprint=_oaQ2oNrrN8avUDUlf7bFibaIDiAAD0WHYnpSSSyvu8
+ [[ no = \y\e\s ]]
+ [[ sign_domains = \r\e\g\i\s\t\e\r ]]
+ [[ -e /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json ]]
++ cat /etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json
++ get_json_int_value id
++ local filter
+++ printf 's/.*"%s": *\([0-9]*\).*/\\1/p' id
++ filter='s/.*"id": *\([0-9]*\).*/\1/p'
++ sed -n 's/.*"id": *\([0-9]*\).*/\1/p'
+ ACCOUNT_ID=41297303
+ [[ 2 -eq 1 ]]
+ ACCOUNT_URL=https://acme-v02.api.letsencrypt.org/acme/acct/41297303
+ hookscript_bricker_hook
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ /etc/dehydrated/hooks/dehydrated-bigip-hookscript this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ DATE='date +%m/%d/%Y:%H:%M:%S'
+ . /etc/dehydrated/hooks/dehydrated-lexicon this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ set -e
++ set -u
++ set -o pipefail
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ shift
+++ type -t this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ '[' -n '' ']'
+ . /etc/dehydrated/hooks/dehydrated-bigip-redeploy-traffic-certificate this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ set -x
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ shift
+++ type -t this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ '[' -n '' ']'
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ /etc/dehydrated/hooks/dehydrated-bigip-hookscript startup_hook
++ DATE='date +%m/%d/%Y:%H:%M:%S'
+ . /etc/dehydrated/hooks/dehydrated-lexicon startup_hook
++ set -e
++ set -u
++ set -o pipefail
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=startup_hook
++ shift
+++ type -t startup_hook
++ '[' -n '' ']'
+ . /etc/dehydrated/hooks/dehydrated-bigip-redeploy-traffic-certificate startup_hook
++ set -x
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=startup_hook
++ shift
+++ type -t startup_hook
++ '[' -n '' ']'
+ '[' '!' -d /etc/dehydrated/chains ']'
+ [[ -n '' ]]
+ [[ -e /etc/dehydrated/domains.txt ]]
+ [[ ! -r /etc/dehydrated/domains.txt ]]
+ ORIGIFS=' 
'
+ IFS='
'
++ awk '{print tolower($0)}'
++ _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g'
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g'
++ grep -vE '^(#|$)'
++ tr -d '\r'
+ for line in '$(<"${DOMAINS_TXT}" tr -d '\''\r'\'' | awk '\''{print tolower($0)}'\'' | _sed -e '\''s/^[[:space:]]*//g'\'' -e '\''s/[[:space:]]*$//g'\'' -e '\''s/[[:space:]]+/ /g'\'' -e '\''s/([^ ])>/\1 >/g'\'' -e '\''s/> />/g'\'' | (grep -vE '\''^(#|$)'\'' || true))'
+ reset_configvars
+ KEY_ALGO=rsa
+ OCSP_MUST_STAPLE=no
+ PRIVATE_KEY_RENEW=no
+ KEYSIZE=4096
+ CHALLENGETYPE=dns-01
+ HOOK=/etc/dehydrated/hooks/dehydrated-bigip-hookscript
+ WELLKNOWN=/var/www/dehydrated
+ HOOK_CHAIN=no
+ OPENSSL_CNF=/etc/pki/tls/openssl.cnf
+ RENEW_DAYS=30
+ IP_VERSION=
+ IFS=' 
'
++ grep -Eo '>[^ ]+'
++ true
+ alias=
++ _sed -e 's/>[^ ]+[ ]*//g'
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's/>[^ ]+[ ]*//g'
+ line=sortplanpro.example.com
++ grep -Eo '>'
++ awk 'END {print NR}'
++ true
+ aliascount=0
+ '[' 0 -gt 1 ']'
++ printf '%s\n' sortplanpro.example.com
++ cut '-d ' -f1
+ domain=sortplanpro.example.com
++ printf '%s\n' sortplanpro.example.com
++ cut -s '-d ' -f2-
+ morenames=
+ '[' 0 -lt 1 ']'
+ alias=sortplanpro.example.com
+ export alias
+ [[ -z '' ]]
+ echo 'Processing sortplanpro.example.com'
Processing sortplanpro.example.com
+ '[' so = '*.' ']'
+ local certdir=/etc/dehydrated/certs/sortplanpro.example.com
+ cert=/etc/dehydrated/certs/sortplanpro.example.com/cert.pem
+ chain=/etc/dehydrated/certs/sortplanpro.example.com/chain.pem
+ force_renew=no
++ date +%s
+ timestamp=1553523970
+ [[ ! -e /etc/dehydrated/certs/sortplanpro.example.com ]]
+ [[ -n '' ]]
+ certconfig=/etc/dehydrated/certs/sortplanpro.example.com/config
+ '[' -f /etc/dehydrated/certs/sortplanpro.example.com/config ']'
+ verify_config
+ [[ dns-01 == \h\t\t\p\-\0\1 ]]
+ [[ dns-01 == \d\n\s\-\0\1 ]]
+ [[ dns-01 = \d\n\s\-\0\1 ]]
+ [[ -z /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ [[ dns-01 = \h\t\t\p\-\0\1 ]]
+ [[ rsa == \r\s\a ]]
+ [[ -n '' ]]
+ [[ 2 == \a\u\t\o ]]
+ [[ 2 == \1 ]]
+ [[ 2 == \2 ]]
+ hookscript_bricker_hook
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ /etc/dehydrated/hooks/dehydrated-bigip-hookscript this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ DATE='date +%m/%d/%Y:%H:%M:%S'
+ . /etc/dehydrated/hooks/dehydrated-lexicon this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ set -e
++ set -u
++ set -o pipefail
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ shift
+++ type -t this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ '[' -n '' ']'
+ . /etc/dehydrated/hooks/dehydrated-bigip-redeploy-traffic-certificate this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ set -x
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ shift
+++ type -t this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
++ '[' -n '' ']'
+ export WELLKNOWN CHALLENGETYPE KEY_ALGO PRIVATE_KEY_ROLLOVER
+ skip=no
+ local csr=
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
++ /etc/dehydrated/hooks/dehydrated-bigip-hookscript generate_csr sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com 'sortplanpro.example.com '
++ DATE='date +%m/%d/%Y:%H:%M:%S'
+ . /etc/dehydrated/hooks/dehydrated-lexicon generate_csr sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com 'sortplanpro.example.com '
++ set -e
++ set -u
++ set -o pipefail
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=generate_csr
++ shift
+++ type -t generate_csr
++ '[' -n '' ']'
+ . /etc/dehydrated/hooks/dehydrated-bigip-redeploy-traffic-certificate generate_csr sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com 'sortplanpro.example.com '
++ set -x
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=generate_csr
++ shift
+++ type -t generate_csr
++ '[' -n '' ']'
+ csr=
+ grep -qE '\-----BEGIN (NEW )?CERTIFICATE REQUEST-----'
+ csr=
+ [[ -e /etc/dehydrated/certs/sortplanpro.example.com/cert.pem ]]
+ printf ' + Checking domain name(s) of existing cert...'
 + Checking domain name(s) of existing cert...++ openssl x509 -in /etc/dehydrated/certs/sortplanpro.example.com/cert.pem -text -noout
++ grep DNS:
++ _sed s/DNS://g
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r s/DNS://g
++ sort -u
++ tr '\n' ' '
++ tr -d ' '
++ _sed 's/ $//'
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r 's/ $//'
++ tr , '\n'
+ certnames=sortplanpro.example.com
++ echo sortplanpro.example.com ''
++ tr ' ' '\n'
++ _sed 's/^ //'
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r 's/^ //'
++ sort -u
++ tr '\n' ' '
++ _sed 's/ $//'
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r 's/ $//'
+ givennames=sortplanpro.example.com
+ [[ sortplanpro.example.com = \s\o\r\t\p\l\a\n\p\r\o\.\c\o\r\p\d\o\m\1\.\c\o\m ]]
+ echo ' unchanged.'
 unchanged.
+ [[ -e /etc/dehydrated/certs/sortplanpro.example.com/cert.pem ]]
+ echo ' + Checking expire date of existing cert...'
 + Checking expire date of existing cert...
++ openssl x509 -enddate -noout -in /etc/dehydrated/certs/sortplanpro.example.com/cert.pem
++ cut -d= -f2-
+ valid='Jun  4 06:10:44 2019 GMT'
+ printf ' + Valid till %s ' 'Jun  4 06:10:44 2019 GMT'
 + Valid till Jun  4 06:10:44 2019 GMT + openssl x509 -checkend 2592000 -noout -in /etc/dehydrated/certs/sortplanpro.example.com/cert.pem
+ printf '(Longer than %d days). ' 30
(Longer than 30 days). + [[ no = \y\e\s ]]
+ echo 'Skipping renew!'
Skipping renew!
+ [[ -n /etc/dehydrated/hooks/dehydrated-bigip-hookscript ]]
+ /etc/dehydrated/hooks/dehydrated-bigip-hookscript unchanged_cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem
++ DATE='date +%m/%d/%Y:%H:%M:%S'
+ . /etc/dehydrated/hooks/dehydrated-lexicon unchanged_cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem
++ set -e
++ set -u
++ set -o pipefail
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=unchanged_cert
++ shift
+++ type -t unchanged_cert
++ '[' -n '' ']'
+ . /etc/dehydrated/hooks/dehydrated-bigip-redeploy-traffic-certificate unchanged_cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem
++ set -x
++ . /etc/dehydrated/hooks/dehydrated-bigip-common
+++ set -x
+++ DATE='date +%m/%d/%Y:%H:%M:%S'
++ . /etc/dehydrated/hooks/dehydrated-bigip-loadconfig
+++ for i in '${BASEDIR}/conf.d/*.sh'
+++ . /etc/dehydrated/conf.d/local.sh
++++ unset proxy
++++ unset http_proxy
++++ unset https_proxy
++++ unset ftp_proxy
++++ unset no_proxy
++++ BIGIP_DEVICE_LIST=bigip1.example.com
++++ BIGIP_USERNAME=admin
++++ BIGIP_PASSWORD='pwremoved'
++++ BIGIP_PARTITION=Common
++++ BIGIP_CLIENT_SSL_MANAGE=1
++++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
++++ TIMESTAMP_NAME=1
++++ OCSP_STAPLE=1
++++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
++++ BIGIP_SAVE_CONFIG=1
++++ LEXICON_PROVIDER=nsone
++++ LEXICON_ARGS='--auth-token tokenremoved'
+++ . /etc/dehydrated/hooks/dehydrated-bigip-common
++++ set -x
++++ DATE='date +%m/%d/%Y:%H:%M:%S'
+++ CURL=/usr/bin/curl
+++ LOGFILE=/var/log/dehydrated-bigip-deploy-traffic-certificate.log
+++ BIGIP_DEVICE_LIST=bigip1.example.com
+++ BIGIP_USERNAME=admin
+++ BIGIP_PASSWORD='pwremoved'
+++ BIGIP_PARTITION=Common
+++ BIGIP_CLIENT_SSL_MANAGE=1
+++ BIGIP_CLIENT_SSL_PARENT=/Common/clientssl
+++ TIMESTAMP_NAME=1
+++ OCSP_STAPLING_PROFILE=/Common/OCSP-STAPLE-LetsEncrypt-X3
+++ OCSP_STAPLE=1
+++ BIGIP_SAVE_CONFIG=1
+++ NSUPDATE=nsupdate
+++ NSUPDATE_ARGS=
+++ NSUPDATE_SERVER_LIST=
+++ NSUPDATE_RECORD_DEFAULT_TTL=300
+++ LEXICON_PROVIDER=nsone
+++ LEXICON_ARGS='--auth-token tokenremoved'
+++ TIMEOUT=5
+++ MAXTIMEOUT=120
++ HANDLER=unchanged_cert
++ shift
+++ type -t unchanged_cert
++ '[' -n function ']'
+++ type -t unchanged_cert
++ '[' function = function ']'
++ unchanged_cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem
++ echo 'entering unchanged_cert()'
entering unchanged_cert()
++ for BIGIP_DEVICE in '${BIGIP_DEVICE_LIST}'
++ echo 'check if bigip1.example.com is Active in cluster'
check if bigip1.example.com is Active in cluster
++ isActive
+++ restCall GET /tm/cm/failover-status
+++ CONTTYPE='-H Content-Type: application/json'
+++ AUTH='--user admin:pwremoved'
+++ TIME='--connect-timeout 5'
+++ MAXTIME='-m 120'
+++ URL=https://bigip1.example.com/mgmt/tm/cm/failover-status
+++ [[ GET == POST ]]
+++ [[ GET == PATCH ]]
+++ [[ GET == PUT ]]
+++ log 'restCall():/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user admin:pwremoved https://bigip1.example.com/mgmt/tm/cm/failover-status -X GET '
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/25/2019:09:26:10 restCall():/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user admin:pwremoved https://bigip1.example.com/mgmt/tm/cm/failover-status -X GET '
+++ /usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user 'admin:pwremoved' https://bigip1.example.com/mgmt/tm/cm/failover-status -X GET
++ OUT='{"kind":"tm:cm:failover-status:failover-statusstats","selfLink":"https://localhost/mgmt/tm/cm/failover-status?ver=11.6.2","entries":{"https://localhost/mgmt/tm/cm/failover-status/0":{"nestedStats":{"entries":{"color":{"description":"green"},"https://localhost/mgmt/tm/cm/failoverStatus/0/details":{"nestedStats":{"entries":{"https://localhost/mgmt/tm/cm/failoverStatus/0/details/0":{"nestedStats":{"entries":{"details":{"description":"active for /Common/traffic-group-1"}}}}}}},"status":{"description":"ACTIVE"},"summary":{"description":"1/1 active"}}}}}}'
+++ echo '{"kind":"tm:cm:failover-status:failover-statusstats","selfLink":"https://localhost/mgmt/tm/cm/failover-status?ver=11.6.2","entries":{"https://localhost/mgmt/tm/cm/failover-status/0":{"nestedStats":{"entries":{"color":{"description":"green"},"https://localhost/mgmt/tm/cm/failoverStatus/0/details":{"nestedStats":{"entries":{"https://localhost/mgmt/tm/cm/failoverStatus/0/details/0":{"nestedStats":{"entries":{"details":{"description":"active' for '/Common/traffic-group-1"}}}}}}},"status":{"description":"ACTIVE"},"summary":{"description":"1/1' 'active"}}}}}}'
++ log 'isActive():{"kind":"tm:cm:failover-status:failover-statusstats","selfLink":"https://localhost/mgmt/tm/cm/failover-status?ver=11.6.2","entries":{"https://localhost/mgmt/tm/cm/failover-status/0":{"nestedStats":{"entries":{"color":{"description":"green"},"https://localhost/mgmt/tm/cm/failoverStatus/0/details":{"nestedStats":{"entries":{"https://localhost/mgmt/tm/cm/failoverStatus/0/details/0":{"nestedStats":{"entries":{"details":{"description":"active for /Common/traffic-group-1"}}}}}}},"status":{"description":"ACTIVE"},"summary":{"description":"1/1 active"}}}}}}'
+++ date +%m/%d/%Y:%H:%M:%S
++ echo '03/25/2019:09:26:10 isActive():{"kind":"tm:cm:failover-status:failover-statusstats","selfLink":"https://localhost/mgmt/tm/cm/failover-status?ver=11.6.2","entries":{"https://localhost/mgmt/tm/cm/failover-status/0":{"nestedStats":{"entries":{"color":{"description":"green"},"https://localhost/mgmt/tm/cm/failoverStatus/0/details":{"nestedStats":{"entries":{"https://localhost/mgmt/tm/cm/failoverStatus/0/details/0":{"nestedStats":{"entries":{"details":{"description":"active for /Common/traffic-group-1"}}}}}}},"status":{"description":"ACTIVE"},"summary":{"description":"1/1 active"}}}}}}'
+++ echo '{"kind":"tm:cm:failover-status:failover-statusstats","selfLink":"https://localhost/mgmt/tm/cm/failover-status?ver=11.6.2","entries":{"https://localhost/mgmt/tm/cm/failover-status/0":{"nestedStats":{"entries":{"color":{"description":"green"},"https://localhost/mgmt/tm/cm/failoverStatus/0/details":{"nestedStats":{"entries":{"https://localhost/mgmt/tm/cm/failoverStatus/0/details/0":{"nestedStats":{"entries":{"details":{"description":"active' for '/Common/traffic-group-1"}}}}}}},"status":{"description":"ACTIVE"},"summary":{"description":"1/1' 'active"}}}}}}'
+++ jsonq '["entries"]["https://localhost/mgmt/tm/cm/failover-status/0"]["nestedStats"]["entries"]["status"]["description"]'
+++ python -c 'import sys,json; input=json.load(sys.stdin); print input["entries"]["https://localhost/mgmt/tm/cm/failover-status/0"]["nestedStats"]["entries"]["status"]["description"]'
++ [[ ACTIVE == ACTIVE ]]
++ return 0
++ echo 'Active device, check if cert sortplanpro.example.com' /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem '/etc/dehydrated/certs/sortplanpro.example.com/chain.pem  is installed on bigip1.example.com'
Active device, check if cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem  is installed on bigip1.example.com
++ CERTFILE=/etc/dehydrated/certs/sortplanpro.example.com/cert.pem
++ CLIENTSSL_NAME=sortplanpro.example.com
+++ openssl x509 -in /etc/dehydrated/certs/sortplanpro.example.com/cert.pem -serial -noout
+++ sed -E -s 's/serial=(.*)/\L\1/'
++ LOCALHASH=0365a748105b5be13241e14a6d8e5ecbe02f
+++ getCurrentCertSerialNumber sortplanpro.example.com Common
++++ restCall GET /tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com
++++ CONTTYPE='-H Content-Type: application/json'
++++ AUTH='--user admin:pwremoved'
++++ TIME='--connect-timeout 5'
++++ MAXTIME='-m 120'
++++ URL=https://bigip1.example.com/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com
++++ [[ GET == POST ]]
++++ [[ GET == PATCH ]]
++++ [[ GET == PUT ]]
++++ log 'restCall():/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user admin:pwremoved https://bigip1.example.com/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com -X GET '
+++++ date +%m/%d/%Y:%H:%M:%S
++++ echo '03/25/2019:09:26:10 restCall():/usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user admin:pwremoved https://bigip1.example.com/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com -X GET '
++++ /usr/bin/curl -sk --connect-timeout 5 -m 120 -H Content-Type: application/json --user 'admin:pwremoved' https://bigip1.example.com/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com -X GET
+++ SSLPROFILE='{"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}'
+++ log 'getClientSSLProfile() SSLPROFILE: {"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}'
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/25/2019:09:26:10 getClientSSLProfile() SSLPROFILE: {"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}'
++++ grep '"kind":"tm:ltm:profile:client-ssl:client-sslstate"'
++++ echo '{"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}'
+++ '[' '{"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}x' '!=' x ']'
++++ echo '{"kind":"tm:ltm:profile:client-ssl:client-sslstate","name":"sortplanpro.example.com","partition":"Common","fullPath":"/Common/sortplanpro.example.com","generation":174742,"selfLink":"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~sortplanpro.example.com?ver=11.6.2","alertTimeout":"10","allowNonSsl":"disabled","authenticate":"once","authenticateDepth":9,"cacheSize":262144,"cacheTimeout":3600,"cert":"/Common/sortplanpro.example.com.crt","certExtensionIncludes":["basic-constraints","subject-alternative-name"],"certLifespan":30,"certLookupByIpaddrPort":"disabled","chain":"/Common/sortplanpro.example.com-CHAIN.crt","ciphers":"DEFAULT","defaultsFrom":"/Common/clientssl","forwardProxyBypassDefaultAction":"intercept","genericAlert":"enabled","handshakeTimeout":"10","inheritCertkeychain":"false","key":"/Common/sortplanpro.example.com.key","maxRenegotiationsPerMinute":5,"modSslMethods":"disabled","mode":"enabled","tmOptions":["dont-insert-empty-fragments"],"peerCertMode":"ignore","peerNoRenegotiateTimeout":"10","proxySsl":"disabled","proxySslPassthrough":"disabled","renegotiateMaxRecordDelay":"indefinite","renegotiatePeriod":"indefinite","renegotiateSize":"indefinite","renegotiation":"enabled","retainCertificate":"true","secureRenegotiation":"require","serverName":"sortplanpro.example.com","sessionMirroring":"disabled","sessionTicket":"disabled","sniDefault":"false","sniRequire":"false","sslForwardProxy":"disabled","sslForwardProxyBypass":"disabled","sslSignHash":"any","strictResume":"disabled","uncleanShutdown":"enabled","certKeyChain":[{"name":"sortplanpro.example.com_sortplanpro.example.com-CHAIN","cert":"/Common/sortplanpro.example.com.crt","chain":"/Common/sortplanpro.example.com-CHAIN.crt","key":"/Common/sortplanpro.example.com.key"}]}'
++++ sed -E -s 's|https://[a-zA-Z0-9\-\.]*/mgmt/|/|'
++++ jsonq '["certReference"]["link"]'
++++ python -c 'import sys,json; input=json.load(sys.stdin); print input["certReference"]["link"]'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
KeyError: 'certReference'
+++ CERTLINK=
+++ log 'getClientSSLProfile() CERTLINK: '
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/25/2019:09:26:10 getClientSSLProfile() CERTLINK: '
++++ echo x
+++ '[' x '!=' x ']'
+++ log 'SSL cert link not found, return empty'
++++ date +%m/%d/%Y:%H:%M:%S
+++ echo '03/25/2019:09:26:10 SSL cert link not found, return empty'
+++ echo skipping return 2
++ REMOTEHASH='skipping return 2'
++ '[' 0365a748105b5be13241e14a6d8e5ecbe02f = 'skipping return 2' ']'
++ echo 'Certificate thumprint not matching, our could not be retreived. Redeploy the certificate...'
Certificate thumprint not matching, our could not be retreived. Redeploy the certificate...
++ deploy_traffic_cert sortplanpro.example.com /etc/dehydrated/certs/sortplanpro.example.com/privkey.pem /etc/dehydrated/certs/sortplanpro.example.com/cert.pem /etc/dehydrated/certs/sortplanpro.example.com/fullchain.pem /etc/dehydrated/certs/sortplanpro.example.com/chain.pem bigip1.example.com
/etc/dehydrated/hooks/dehydrated-bigip-common: line 381: 7: unbound variable
+ remove_lock
+ rm -f /run/dehydrated/lock
[root@corpadmin3 hooks]#
Sander-agfa commented 5 years ago

Interesting, line 381 refers to Timestamp / Bigip device variable not being set. I'll try to replicate this.