Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Identify and cleanse expired and soon to expire certs from BIG-IP

Problem this snippet solves:
  • Identify Expired and Soon to Expire Certs (including their use on a virtual, client-ssl profile)
  • If desired, script can delete client-ssl profile, cert/key for expired certs
  • Script can be run with argument of --days to indicate how many days prior to expiration you consider soon to expire
  • --reportonly argument will never prompt to delete configuration objects
How to use this snippet:

usage: f5_old_cert_key_profile_cleanup.py [-h] --bigip BIGIP --user USER [--days DAYS] [--reportonly]

A tool to identify expiring and soon to expire certs and related config detritus and assist user with pruning it from configuration

optional arguments: -h, --help show this help message and exit --bigip BIGIP IP or hostname of BIG-IP Management or Self IP --user USER username to use for authentication --days DAYS number of days before expiration to consider cert as expiring soon --reportonly produce report only; do not prompt for configuration object deletion

Tested on Version:
11.5
Comments on this Snippet
Comment made 4 months ago by Naumin Dave 257

I am unable to find specific explanation on execution procedure. can you please guide? This will help me as well as many other users as well who wants to try this.

0
Comment made 4 months ago by Chad Jenison

Could you clarify what you mean by execution procedure? Are you asking how to get the script to execute at a basic level? If so, either make it executable (chmod +x ...) and then run it (./f5_old_cert_key_profile_cleanup.py -h") or run it as an argument to python (e.g. "python f5_old_cert_key_profile_cleanup.py -h").

0
Comment made 4 months ago by Naumin Dave 257

Can i run it from BIGIQ on my LB inventory?

0
Comment made 4 months ago by Chad Jenison

it doesn't leverage BIG-IQ inventory. Theoretically you could run it from BIG-IQ system command line, but it has no BIG-IQ interaction.

0
Comment made 4 months ago by Naumin Dave 257

Hi Chad,

I figured out how to run this script. Its working. However, can you add one condition here. If clientssl profile is attached with VS and has expired cert/key, can we get option to detach SSL profile from VS and then delete?

Thanks a lot for the script !

0
Comment made 4 months ago by Naumin Dave 257

OR is there any way to change the cert & key to any of the defaults cert/key in clientssl profile(who has old cert/key)? Sorry but this is really a road block at this moment for last 2 companies where i worked to prune the SSL cert/key configuration.

0
Comment made 4 months ago by Chad Jenison

Naumin, it seems based on your request that you have a large number of virtual servers that have a client-ssl profile attached to them that points to an expired SSL certificate. This seems highly unexpected as clients accessing the virtual servers would see problems because of the expired certificates. Do you have a large number of virtual servers in this state? I'd think resolving them manually by altering the virtual server to point to a client ssl profile that has a valid (unexpired) cert would be an urgent configuration change you should make.

It certainly is possible to enhance the script to do what you are requesting, but I wouldn't expect many F5 users to have active virtual servers that have an expired certificate attached (via a client-ssl profile).

0
Comment made 4 months ago by Naumin Dave 257

Thanks Chad. Yeah i will do it manually, however, just observed backup is not working if we say Yes to delete SSL profile/cert/key. i know mybackup() function was called but its not working. will debug the script and keep you posted with my results. Thanks for the script ! Its really helpful.

0
Comment made 1 week ago by Naumin Dave 257

Hi Chad,

Looks like iControl Rest API calls are not working in TMOS 11.x as we are getting below error while trying to run on 11.5.1 & 11.6.0 devices. 1. we are using correct credentials and same is working on higher version. 2. We have tried admin(local user) also, but it is still not working and getting same error msg.

As per the script print msg, it is stating we are getting HTTP 401 code.

Please help or advice, if any workaround is available.

py f5_old_cert_key_profile_cleanup.py --user xxx --bigip --reportonly Password for xxx: attempt to obtain authentication token failed due to invalid credentials Traceback (most recent call last): File "f5_old_cert_key_profile_cleanup.py", line 104, in for cert in retrievedcerts['items']: KeyError: 'items'

0
Comment made 1 week ago by Chad Jenison

are you certain credentials are correct? Additionally, is the user account you are attempting to use local to the BIG-IP or contained in a directory (e.g. LDAP) that the BIG-IP is pointed to. If this is the case, then there are known challenges with use of iControl REST with remote users in old versions of TMOS (e.g. 11.x). Workaround is to either use a local user account or upgrade to newer TMOS.

https://cdn.f5.com/product/bugtracker/ID471136.html

1
Comment made 1 week ago by Naumin Dave 257

Hi Chad,

What a Perfect catch! yes this is the cause, my credentials were correct but it uses remote authentication via RADIUS, and as you suggested for workaround by using local admin account resolves this issue. Thanks for sharing BUGID. Just to update, there is one issue with using this script, we have to disassociate serverssl profile from VIPs manually. As for VIPs who are used for SSL bridging(contains clientssl and serverssl) will be impacted if we disassociate only clientssl profile.

So I am working on addition in your code(may be you can help) to disassociate respective serverssl profile(if any) for the VIPs who are having clientssl profile with expired certs, but stuck on data formatting part, the way you did is just perfect.

Thanks for your swift response!

0
Comment made 1 week ago by Chad Jenison

The reason I didn’t tackle dissociating clientssl profile with an expired cert from a virtual is that in my opinion that’s something that needs fixing outside of the script and then once fixed you would then run the cleanup script.

0
Comment made 1 week ago by Naumin Dave 257

understood, but atleast we can add function in reportonly "for loops" to pull serverssl profile for those VIPs who are using Expired/expiring soon clientssl profile?

0
Comment made 1 week ago by Chad Jenison

so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?

I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs? Seems to me that not long after the cert expires, you'd get user reports complaining about expired cert and then you'd fix it, such that few BIG-IPs that are actively used will have expired certs attached to clientssl profiles attached to active virtual servers.

0
Comment made 1 week ago by Naumin Dave 257

"so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?"

Yes, We want this, however it is ok to not remove them/untag them from VS config via script but atleast can get those names when use "--reportonly".

"I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs?"

I know it sound weird but sadly answer is Yes, we have many VSs who are UP and using expired cert profiles. Seems like those are not used by app teams. Ideally those VSs should be decommissioned but instead of following up with individuals for decommission those VIPs, we want to silently removing SSL offloading from LB side so that there applications will work as it was working before this activity.

0