search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

Empty SSL certificates #18

Closed makagonr closed 3 years ago

makagonr commented 3 years ago

Environment

Summary

ACC returns an empty certificate object for certificates other than default one.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config: example.txt

  2. Observe the following output: (No error is issued)

Expected Behavior

Expected output would be something like:

"Symantec_Class_3_Extended_Validation_SHA256_SSL_CA_2023": {
   "class": "Certificate",
   "certificate": {
      "bigip": "/Common/warenkorb.otto.de-2018.crt"
   },
   "privateKey": {
      "bigip": "/Common/warenkorb.otto.de-2017.key"
   }
}

Actual Behavior

"warenkorb_otto_de_2018": {
   "class": "Certificate"
},
"Symantec_Class_3_Extended_Validation_SHA256_SSL_CA_2023": {
   "class": "Certificate"
},
mdditt2000 commented 3 years ago

Filed issue CHARON-202 for PM tracking

p-semenov-f5 commented 3 years ago

If you want convert config with certificates, you should use UCS file. Because it has all keys and certificates inside.

makagonr commented 3 years ago

Hello,

According to previous agreements, we do not want to pass the certificate itself to as3, we want to keep it safe in encrypted ucs only. We only need to generate appropriate as3 objects with "bigip" references

Regards Rafał Makagon

sob., 13 mar 2021, 00:20 użytkownik p-semenov-f5 @.***> napisał:

If you want convert config with certificates, you should use UCS file. Because it has all keys and certificates inside.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/f5devcentral/f5-as3-config-converter/issues/18#issuecomment-797809693, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHP7QNJKLAO5A7AP2NMGJHLTDKHRLANCNFSM4YPK6VYA .

mdditt2000 commented 3 years ago

@makagonr if the certs and TLS profiles are created in Common, ACC will simple reference the certs, profiles etc as shown in the example

 "webtls": {
                "allowExpiredCRL": false,
                "authenticationFrequency": "one-time",
                "c3dOCSPUnknownStatusAction": "drop",
                "cacheTimeout": 3600,
                "certificates": [
                    {
                        "certificate": "/Common/webcert1"
                    },
                    {
                        "certificate": "/Common/webcert2"
                    }
                ],
            },
            "webcert1": {
                "class": "Certificate",
                "certificate": {
                   "bigip": "/Common/webcert1.crt"
                },
                "privateKey": {
                   "bigip": "/Common/webcert1.key"
                },
                "chain": {
                    "bigip": "/Common/webcert1-bundle.crt"
                }
makagonr commented 3 years ago

Hello,

Thanks mark for this information,

How about if the certificates are placed in other partitions (tenants)?

Regards Rafał Makagon

wt., 16 mar 2021 o 23:51 mark dittmer @.***> napisał(a):

@makagonr https://github.com/makagonr if the certs and TLS profiles are created in Common, ACC will simple reference the certs, profiles etc as shown in the example

"webtls": { "allowExpiredCRL": false, "authenticationFrequency": "one-time", "c3dOCSPUnknownStatusAction": "drop", "cacheTimeout": 3600, "certificates": [ { "certificate": "/Common/webcert1" }, { "certificate": "/Common/webcert2" } ], }, "webcert1": { "class": "Certificate", "certificate": { "bigip": "/Common/webcert1.crt" }, "privateKey": { "bigip": "/Common/webcert1.key" }, "chain": { "bigip": "/Common/webcert1-bundle.crt" }

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/f5devcentral/f5-as3-config-converter/issues/18#issuecomment-800664570, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHP7QNJOOX22Q6N6737N53TTD7OHJANCNFSM4YPK6VYA .

makagonr commented 3 years ago

@makagonr if the certs and TLS profiles are created in Common, ACC will simple reference the certs, profiles etc as shown in the example

 "webtls": {
                "allowExpiredCRL": false,
                "authenticationFrequency": "one-time",
                "c3dOCSPUnknownStatusAction": "drop",
                "cacheTimeout": 3600,
                "certificates": [
                    {
                        "certificate": "/Common/webcert1"
                    },
                    {
                        "certificate": "/Common/webcert2"
                    }
                ],
            },
            "webcert1": {
                "class": "Certificate",
                "certificate": {
                   "bigip": "/Common/webcert1.crt"
                },
                "privateKey": {
                   "bigip": "/Common/webcert1.key"
                },
                "chain": {
                    "bigip": "/Common/webcert1-bundle.crt"
                }

Mark, could you share the config that you used to get this output? In the example.txt file that I have sent, all the certs/keys/profiles are placed in Common partition, but I still get empty certificate objects

p-semenov-f5 commented 3 years ago

Finished