Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS cert/key/chain reference missing in the ACC output #15

Closed
rjouhann opened this issue Feb 22, 2021 · 3 comments
Closed

HTTPS cert/key/chain reference missing in the ACC output #15

rjouhann opened this issue Feb 22, 2021 · 3 comments
Labels
bug Something isn't working in progress jira Jira created for this issue
Milestone
1.11

Comments

@rjouhann
Copy link

Environment

  • Application Services Version: AS3.25
  • BIG-IP Version: 15.1

Summary

The below example is trying to convert a basic HTTPS app service with a client-ssl profile referenced with cert, keys and chain in /Common. The AS3 config converted references the cert, key and chain in an object which does not exist (/Common/Shared/wildcard_demo_com_nov-2021).

The SSL cert and key should ALWAYS be referenced in the /Common partition as 99% of customers manage their certificates and keys outside the AS3 declaration using a PKI (such as Venafi, let's encrypt, etc...). Certificate and Keys should never be converted in PEM format.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:
ltm virtual /afbpath_demo_com/npt_tcp_443_vs/serviceMain {
    connection-limit 10000
    creation-time 2020-09-16:10:14:01
    description npt_tcp_443_vs
    destination /afbpath_demo_com/1.1.1.92:443
    ip-protocol tcp
    last-modified-time 2020-09-16:10:14:01
    mask 255.255.255.255
    pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_tcp_443_pool
    profiles {
        /Common/demo-https { }
        /Common/demo-tcp-lan {
            context serverside
        }
        /Common/demo-tcp-progressive {
            context clientside
        }
        /Common/wildcard.demo.com_clientssl {
            context clientside
        }
        /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_serverssl {
            context serverside
        }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool
        type snat
    }
    translate-address enabled
    translate-port enabled
}
ltm pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_tcp_443_pool {
    load-balancing-mode predictive-member
    members {
        /Common/10.92.224.37:443 {
            address 10.92.224.37
            metadata {
                source {
                    value declaration
                }
            }
        }
    }
    monitor min 1 of { /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_monitor }
    service-down-action reset
}
ltm profile http /Common/demo-https {
    app-service none
    defaults-from /Common/demo-http
    hsts {
        mode enabled
    }
    proxy-type reverse
}
ltm profile tcp /Common/demo-tcp-lan {
    app-service none
    defaults-from /Common/f5-tcp-lan
}
ltm profile tcp /Common/demo-tcp-progressive {
    app-service none
    defaults-from /Common/f5-tcp-progressive
}
ltm profile client-ssl /Common/wildcard.demo.com_clientssl {
    app-service none
    cert-key-chain {
        wildcard_demo_com_nov-2021_DigiCertSHA2SecureServerCA-2020_0 {
            cert /Common/wildcard_demo_com_nov-2021
            chain /Common/DigiCertSHA2SecureServerCA-2020
            key /Common/wildcard_demo_com_nov-2021
        }
    }
    defaults-from /Common/demo_cipher
    inherit-ca-certkeychain true
    inherit-certkeychain false
}
ltm snatpool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool {
    members {
        /afbpath_demo_com/npt_tcp_443_vs/2.2.2.92
    }
}
  1. AS3 converted declaration:
{
    "class": "ADC",
    "schemaVersion": "3.24.0",
    "id": "urn:uuid:8e2c85fd-2292-4acd-a696-4cc2ec65a94a",
    "label": "Converted Declaration",
    "remark": "Auto-generated by Project Charon",
    "afbpath_demo_com": {
        "class": "Tenant",
        "npt_tcp_443_vs": {
            "class": "Application",
            "template": "https",
            "serviceMain": {
                "maxConnections": 10000,
                "remark": "npt_tcp_443_vs",
                "layer4": "tcp",
                "pool": "afbpath_demo_com_npt_tcp_443_pool",
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_HTTPS",
                "profileHTTP": {
                    "use": "/Common/Shared/demo-https"
                },
                "profileTCP": {
                    "egress": {
                        "use": "/Common/Shared/demo-tcp-lan"
                    },
                    "ingress": {
                        "use": "/Common/Shared/demo-tcp-progressive"
                    }
                },
                "serverTLS": "wildcard.demo.com_clientssl",
                "redirect80": true,
                "virtualAddresses": [
                    "1.1.1.92"
                ],
                "virtualPort": 443,
                "persistenceMethods": [],
                "snat": {
                    "use": "/afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool"
                }
            },
            "afbpath_demo_com_npt_tcp_443_pool": {
                "loadBalancingMode": "predictive-member",
                "members": [
                    {
                        "addressDiscovery": "static",
                        "servicePort": 443,
                        "serverAddresses": [
                            "10.92.224.37"
                        ],
                        "shareNodes": true
                    }
                ],
                "serviceDownAction": "reset",
                "class": "Pool",
                "minimumMonitors": 1,
                "monitors": [
                    {
                        "use": "/afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_monitor"
                    }
                ]
            },
            "afbpath_demo_com_npt_snatpool": {
                "snatAddresses": [
                    "2.2.2.92"
                ],
                "class": "SNAT_Pool"
            }
        }
    },
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "demo-https": {
                "hstsInsert": true,
                "proxyType": "reverse",
                "class": "HTTP_Profile"
            },
            "demo-tcp-lan": {
                "class": "TCP_Profile"
            },
            "demo-tcp-progressive": {
                "class": "TCP_Profile"
            },
            "wildcard.demo.com_clientssl": {
                "certificates": [
                    {
                        "certificate": "/Common/Shared/wildcard_demo_com_nov-2021"
                    }
                ],
                "class": "TLS_Server",
                "tls1_0Enabled": true,
                "tls1_1Enabled": true,
                "tls1_2Enabled": true,
                "tls1_3Enabled": false,
                "singleUseDhEnabled": false,
                "insertEmptyFragmentsEnabled": true
            }
        }
    }
}

Expected Behavior

The SSL cert and key should ALWAYS be referenced in the /Common partition as 99% of customers manage their certificates and keys outside the AS3 declaration using a PKI (such as Venafi, let's encrypt, etc...)

"wildcard.demo.com_clientssl": {
    "class": "TLS_Server",
    "certificates": [
        {
             "certificate": "/Common/Shared/wildcard_demo_com_nov-2021"
        }
    ]
},
"wildcard_demo_com_nov-2021": {
    "class": "Certificate",
    "privateKey": {
        "bigip": "/Common/wildcard_demo_com_nov-2021"
    },
    "certificate": {
        "bigip": "/Common/wildcard_demo_com_nov-2021"
    },
    "chain": {
        "bigip": "/Common/DigiCertSHA2SecureServerCA-2020"
    }
}
@rjouhann rjouhann added the bug Something isn't working label Feb 22, 2021
@thesaxonedone
Copy link

thesaxonedone commented Feb 24, 2021
edited
Loading

I ran into this exact issue as well. While I'm new to AS3 (and therefore my input might not come with the backing of experience or knowing exactly what I'm talking about), rather than updating ACC to directly reference /Common/Shared in multiple spots, I feel the following would also be a good solution as it limits static references to /Common to within the Certificate class.

Either way, ACC as it stands is in a broken state for HTTPS apps that use a cert and/or ssl profile in /Common/, which as @rjouhann stated, is the vast majority of cases.

"wildcard.demo.com_clientssl": {
    "class": "TLS_Server",
    "certificates": [
        {
             "certificate": "wildcard_demo_com_nov-2021"
        }
    ]
},
"wildcard_demo_com_nov-2021": {
    "class": "Certificate",
    "privateKey": {
        "bigip": "/Common/wildcard_demo_com_nov-2021"
    },
    "certificate": {
        "bigip": "/Common/wildcard_demo_com_nov-2021"
    },
    "chain": {
        "bigip": "/Common/DigiCertSHA2SecureServerCA-2020"
    }
}

@mdditt2000
Copy link

Agree. Create CHARON-182 for PM tracking. @rjouhann this is the higher priority for ACC 1.11

@mdditt2000 mdditt2000 added the jira Jira created for this issue label Feb 24, 2021
@mdditt2000 mdditt2000 added this to the 1.11 milestone Mar 8, 2021
@p-semenov-f5
Copy link
Collaborator

Finished

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working in progress jira Jira created for this issue
Projects
None yet
Milestone
1.11
Development

No branches or pull requests
4 participants
@mdditt2000 @rjouhann @thesaxonedone @p-semenov-f5