search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

No SSL profile reference in conversion #27

Closed prestonhashworth closed 3 years ago

prestonhashworth commented 3 years ago

Performed "Convert With ACC" using F5 ACC Chariot extension v1.11.0 on the app.conf below, and getting a resulting declaration missing any SSL profile reference. The SSL profile config is not in the unsupported section of logging:

ltm virtual /Common/application1.prestonashworth.com_443 {
    creation-time 2020-01-18:17:56:36
    destination /Common/10.10.0.101:443
    ip-protocol tcp
    last-modified-time 2021-02-04:22:18:00
    mask 255.255.255.255
    pool /Common/app1.service_discovery.app/app1.service_discovery_pool
    profiles {
        /Common/application1.prestonashworth.com_2020 {
            context clientside
        }
        /Common/http { }
        /Common/tcp { }
    }
    rules {
        /Common/SSL_client_ciphers_selected
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm pool /Common/app1.service_discovery.app/app1.service_discovery_pool {
    app-service /Common/app1.service_discovery.app/app1.service_discovery
    load-balancing-mode least-connections-member
    members {
        /Common/172.28.0.154:80 {
            address 172.28.0.154
            description i-06939aaacd7c6321d-private
        }
        /Common/172.28.0.25:80 {
            address 172.28.0.25
            description i-088eeb216d051cf4c-private
        }
        /Common/172.28.0.32:80 {
            address 172.28.0.32
            description i-05b86bb44a52c3dfa-private
        }
        /Common/172.28.0.93:80 {
            address 172.28.0.93
            description i-08bd9d9e449d8517c-private
        }
    }
    monitor /Common/http
}
ltm profile client-ssl /Common/application1.prestonashworth.com_2020 {
    app-service none
    cert-key-chain {
        application1_application1_0 {
            cert /Common/application1.crt
            chain /Common/application1.crt
            key /Common/application1.key
        }
    }
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
}
ltm rule /Common/SSL_client_ciphers_selected {
when HTTP_REQUEST {
    log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"
}
}

This is the debug log output (with F5 Extension setting Log level set to verbose and NGINX log level set to debug):

[2021-05-24T21:05:03.496Z] [INFO]: f5.chariot.convert called
[2021-05-24T21:05:03.496Z] [DEBUG]: f5.chariot.convert text found
[2021-05-24T21:05:04.277Z] [DEBUG]: ACC METADATA {
  recognized: {
    'ltm virtual /Common/application1.prestonashworth.com_443': {
      'creation-time': '2020-01-18:17:56:36',
      destination: '/Common/10.10.0.101:443',
      'ip-protocol': 'tcp',
      'last-modified-time': '2021-02-04:22:18:00',
      mask: '255.255.255.255',
      pool: '/Common/app1.service_discovery.app/app1.service_discovery_pool',
      profiles: '{',
      '/Common/http': {},
      '/Common/tcp': {},
      '}': '',
      rules: '{',
      '/Common/SSL_client_ciphers_selected': '',
      'serverssl-use-sni': 'disabled',
      source: '0.0.0.0/0',
      'translate-address': 'enabled',
      'translate-port': 'enabled'
    },
    'ltm profile client-ssl /Common/application1.prestonashworth.com_2020': {
      'app-service': 'none',
      'cert-key-chain': '{',
      '}': '',
      'defaults-from': '/Common/clientssl',
      'inherit-ca-certkeychain': 'true',
      'inherit-certkeychain': 'false'
    },
    'ltm rule /Common/SSL_client_ciphers_selected': 'when HTTP_REQUEST {\r\n' +
      '    log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"\r\n' +
      '}\r'
  },
  supported: {
    'ltm virtual /Common/application1.prestonashworth.com_443': {
      'creation-time': '2020-01-18:17:56:36',
      destination: '/Common/10.10.0.101:443',
      'ip-protocol': 'tcp',
      'last-modified-time': '2021-02-04:22:18:00',
      mask: '255.255.255.255',
      pool: '/Common/app1.service_discovery.app/app1.service_discovery_pool',
      profiles: '{',
      '/Common/http': {},
      '/Common/tcp': {},
      '}': '',
      rules: '{',
      '/Common/SSL_client_ciphers_selected': '',
      'serverssl-use-sni': 'disabled',
      source: '0.0.0.0/0',
      'translate-address': 'enabled',
      'translate-port': 'enabled'
    },
    'ltm profile client-ssl /Common/application1.prestonashworth.com_2020': {
      'app-service': 'none',
      'cert-key-chain': '{',
      '}': '',
      'defaults-from': '/Common/clientssl',
      'inherit-ca-certkeychain': 'true',
      'inherit-certkeychain': 'false'
    },
    'ltm rule /Common/SSL_client_ciphers_selected': 'when HTTP_REQUEST {\r\n' +
      '    log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"\r\n' +
      '}\r'
  },
  unSupported: {
    'ltm pool /Common/app1.service_discovery.app/app1.service_discovery_pool': {
      'app-service': '/Common/app1.service_discovery.app/app1.service_discovery',
      'load-balancing-mode': 'least-connections-member',
      members: '{',
      '}': '',
      monitor: '/Common/http'
    }
  },
  declarationInfo: {
    classes: { iRule: 1, Service_Generic: 1 },
    maps: {
      applications: [ '/Common/Shared' ],
      objects: [
        '/Common/Shared/application1.prestonashworth.com_443',
        '/Common/Shared/SSL_client_ciphers_selected'
      ],
      tenants: [ '/Common' ]
    },
    total: 2
  }
}

And this is the resulting declaration:

{
    "class": "ADC",
    "schemaVersion": "3.26.0",
    "id": "urn:uuid:313786db-56e1-4c36-b3b7-cd96d6035720",
    "label": "Converted Declaration",
    "remark": "Auto-generated by AS3 Config Converter",
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "application1.prestonashworth.com_443": {
                "layer4": "tcp",
                "pool": "/Common/app1.service_discovery.app/app1.service_discovery_pool",
                "iRules": [
                    {
                        "use": "0"
                    }
                ],
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_Generic",
                "virtualAddresses": [
                    "10.10.0.101"
                ],
                "virtualPort": 443,
                "persistenceMethods": [],
                "snat": "none"
            },
            "SSL_client_ciphers_selected": {
                "class": "iRule",
                "iRule": {
                    "base64": "d2hlbiBIVFRQX1JFUVVFU1Qgew0KICAgIGxvZyBsb2NhbDAubm90aWNlICJbU1NMOjpjaXBoZXIgdmVyc2lvbl0gLSBDbGllbnQgW0lQOjpjbGllbnRfYWRkcl06W1RDUDo6Y2xpZW50X3BvcnRdIC0+IEhvc3RIZWFkZXJOYW1lL1VSSSBbSFRUUDo6aG9zdF1bSFRUUDo6dXJpXSAtIg0KfQ0="
                }
            }
        }
    }
}
mdditt2000 commented 3 years ago

Sorry for the delay in responding. You issues are mostly resolved. After conversion certs are getting added correct. What is not correct is the "certificate": "/Common/Shared/application1" but this is getting fixed in ACC 1.13 https://github.com/f5devcentral/f5-as3-config-converter/issues/25

 "application1": {
                "class": "Certificate",
                "certificate": {
                    "bigip": "/Common/application1.crt"
                },
                "chainCA": {
                    "bigip": "/Common/application1.crt"
                },
                "privateKey": {
                    "bigip": "/Common/application1.key"
                }
            },
            "application1.prestonashworth.com_2020": {
                "certificates": [
                    {
                        "certificate": "/Common/Shared/application1"
                    }
                ],
                "class": "TLS_Server",
                "tls1_0Enabled": true,
                "tls1_1Enabled": true,
                "tls1_2Enabled": true,
                "tls1_3Enabled": false,
                "singleUseDhEnabled": false,
                "insertEmptyFragmentsEnabled": true
            },
            "SSL_client_ciphers_selected": {
                "class": "iRule",
                "iRule": {
                    "base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogICAgbG9nIGxvY2FsMC5ub3RpY2UgIltTU0w6OmNpcGhlciB2ZXJzaW9uXSAtIENsaWVudCBbSVA6OmNsaWVudF9hZGRyXTpbVENQOjpjbGllbnRfcG9ydF0gLT4gSG9zdEhlYWRlck5hbWUvVVJJIFtIVFRQOjpob3N0XVtIVFRQOjp1cmldIC0iCn0="
                }
            }
        }
    }
}

https://github.com/mdditt2000/f5-appsvcs-acc/blob/master/Github/27/as3-output.json

This issue with incorrect cert reference is getting resolved in ACC 1.13

                "certificates": [
                    {
                        "certificate": "/Common/Shared/application1"
                    }
mdditt2000 commented 3 years ago

Issue is resolved in ACC 1.12. Closing issue