Cert and Key files are not in /config/ssl/ssl.* subdirectories after 11.x to 11.x upgrade

It is intentional but I'm afraid I don't know the reason why. Just out of interest what point release did you upgrade to?

This has happened when upgrading to every major revision and hotfix level.

 

 

11.0.0 to 11.0.0 HF*

 

11.1 to 11.1 HF*

 

11.0 to 11.1 HF*

 

11.1 to 11.2.0

 

11.1 to 11.2.0 HF*

 

11.2.0 to 11.2.0 HF*

 

 

I have no idea why this would be intentional. I don't mind the certificates and keys being put in the file store, but those of us (in my company) who know how to manage things via CLI and depend on it for the speed it provides aren't very happy about it, not to mention that it has caused a few problems when restoring configurations. I've got over 60 pairs of F5s that I'm responsible for and doing every single CSR request or renewal import through the GUI just won't work. That's why I've written tools to automate the process of CSR generation and cert/key installation via CLI.

Lucky, apologies but perhaps I've misunderstood. Are you saying that when you import certs/keys (via CLI or GUI) they are placed in the old location and then when you do an upgrade they get moved?

Steve,

 

 

Process is:

 

 

Certificate and key are SCPed to the SSL.crt and SSL.key dirs.

 

 

I import certificate and key through CLI (create file objects) and create the SSL profiles.

 

 

I do an upgrade and those files are no longer present in those directories post-upgrade. They are only in the file store in the config directory.

 

 

The only way that I get them back in there is re-uploading them to each box individually. Those directories also no longer sync.

 

 

Thinking that this might have something to do with the UCS inclusion files, but I want to know why this is happening before I start messing around with anything.

 

 

Thanks for your quick replies thus far.

 

 

Lucky

Just to clarify, I mean after rebooting into the newly installed volume when I say post-upgrade.

Actually, I think I now remember that the directories changed due to Device Service Clustering and Device Groups, hence why the original folders don't sync.

 

 

Is there a reason you can't use the new directories and change your scripts as appropriate? I'd assume the upgrade is moving the files to the new directory automatically as that's where they should now go.

Here's a thread on this:

 

http://devcentral.f5.com/community/groupdetails/tabid/1082223/aff/2221/default.aspx

 

 

I think Steve is right that only local certs are in the old pre-v11 directories. The rest are imported into the filestore. You'll need to modify your steps to copy the certs to a temp directory and then import them and reference them in SSL profiles via tmsh.

 

 

Aaron

Aaron and Steve:

 

 

Thank you for your replies on this.

 

 

It's not that I can't modify the scripts, but it's more the lack of time needed to do so. I was really hoping that there was a simple way to get around this.

The new locations are part of the CMI configuration in v11 (both for clustering and partitioning). As such, you need to use TMSH to move the files into the proper filesystem objects.

Here's a little shell script I wrote to copy/replace certs and keys in the filesystems. SCP the .p12 files up to a working directory and run this script from there.

!/bin/bash
if [ "$1" != "" ]; then
    passwd=$1
     process .p12 files
    for g in *.p12
    do
          extract the name from the .p12 file
         pname=`echo $g |awk -F.p12 '{ print $1 }'`
 
          export the private key
         openssl pkcs12 -in $g -out $pname.key -nodes -clcerts -nocerts -passin pass:$passwd
 
          export the public key
         openssl pkcs12 -in $g -out $pname.crt -nodes -clcerts -nokeys -passin pass:$passwd
    done
 
     process exported certificates
    for f in *.crt
    do
          extract the name from the cert file
         fname=`echo $f |awk -F.crt '{ print $1 }'`
 
          delete the old ones first
         tmsh delete sys crypto cert $fname
         tmsh delete sys crypto key $fname
 
          import the cert and key
         tmsh install sys crypto cert $fname from-local-file $fname.crt
         tmsh install sys crypto key $fname from-local-file $fname.key
    done
    echo "Done"
else
    echo ""
    echo "Usage: certpush.sh <.p12 export password>"
    echo ""
fi