Using Ansible To Create DNS Certificates And Install Them On F5 Big IP Loadbalancers
This demo will first use the DNS method to create a letsencrypt cert, then it will build a VIP in the F5, and last it will install the letsencrypt certificate for that VIP. I then have a workflow for updating the cert and pushing it to the F5. I suppose this allows you to live in a world where you don’t have to worry about your certificates expiring anymore…it just magically works LOL.
Demo Video
Github Repo
You can find the playbooks here in my github repo.
Let’s Encrypt
First is creating certificates. LE allows for a few different methods to create certs. The most common is http, which creates a file on your webserver they verify. For this demo I wanted to create the certs on another device, then send them over to the F5, and for this I chose to use LE’s DNS option. The DNS process has you create a custom txt record on your DNS server that they can verify. I’m using cloudflare’s DNS and their API makes this stupid simple.
Let’s take a look at my cert creation playbook:
This playbook has a lot going on. I’m going to point out the important bits here.
First is how I create two private keys, one for the letsencrypt account and one for the certificate itself. Keep in mind that these MUST be different keys. I tried using the same key initially and got this error:
1 2 3 4 | TASK [Let the challenge be validated and retrieve the cert and intermediate certificate] ******************************************************************
fatal: [localhost]: FAILED! => changed=false
msg: 'Error new cert: CODE: 400 RESULT: {''type'': ''urn:ietf:params:acme:error:malformed'', ''detail'': ''Error finalizing order :: certificate public key must be different than account key'', ''status'': 400}'
other: {} |
Also note that I use acme version 2 in all of my certificate calls. This is because v1 has been deprecated, but is still shown on all of the ansible examples. If you use v1 you will have a bad time.
1 2 | acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_version: 2 |
Once the initial challenge is issued, it will pass back info that’s used to create the DNS TXT record. I’m using cloudlfare and the API call does it’s thing, then it moves on to the final step where the challenge is validated. It, unfortunately, takes a little time for the DNS entry to go completely live, so the final play has some additional configurations that account for that:
1 2 | retries: 10
delay: 12 |
Retries says that it will try this command 10 times, and delay says wait 12 seconds between each retry. This means the task will attempt for about 2 minutes, which so far has been enough time to complete everything successfully.
At this point you should now successfully have your certificates!
F5 Certificate Application
I’m now going to connect to my F5 big IP and apply the certs:
I’m using this to create my environment and install the cert, but I could continue to run this to perform cert upgrades as all of it is idempotent. This means if the script needs to make a change it will, if the F5 already exists in the desired state, then no change is made(one of my favorite features of Ansible!).
Take note when we reach the “#SSL Upload and Modification of VIP to use New Certificate” section.
I first upload the newly created cert and key pair. Next I create a client ssl profile with the newly uploaded files. Last I create a virtual server using the client ssl profile.
At this point, I’m done!
I can now schedule the cert create playbook to run on a 30 day schedule to check if there’s less than 60 days left on the cert; if there is, it will refresh the cert. Now the install script can be run again, OR this simple cert update script can be run:
This script really just runs the certificate upload task again. If the certs are the same, nothing is done, if however, they are different, then the new certificate will be applied to the F5. Pretty slick, eh?
As always, let me know how you would utilize this in your environment, how you would change it, your comments, and your questions.
Thanks and happy certing 😉