Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AS3 3.44.0 - ChainCA invalid x509 - Certificate-bundle.crt #889

Open
rdegoix opened this issue Nov 8, 2024 · 1 comment
Open

AS3 3.44.0 - ChainCA invalid x509 - Certificate-bundle.crt #889

rdegoix opened this issue Nov 8, 2024 · 1 comment
Labels
bug Something isn't working untriaged Issue needs to be reviewed for validity

Comments

@rdegoix
Copy link

rdegoix commented Nov 8, 2024
edited
Loading

Dear people,

Environment

  • Application Services Version: 3.44.0
  • BIG-IP Version: BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3
  • Deploying through BIG-IQ to my F5 BIG-IP

Summary

It looks like when using AS3 declaration with chainCa : "MyIntermediateCertificate", it's giving issue with invalid x509 file.
And it's complaining about another Certificate-bundle.crt, that could be the one by default in F5 BIG-IP (but no the one that I uploaded previously, my current certificate is signed by an official CA (I also tried with other one : VerySign.... same issue)

If I remove the chainCa, AS3 deployment working properly.

pwd
/config/ssl/ssl.crt

ls -lh

total 3.5M
-rw-r--r--. 1 root root 3.5M Mar 21 2024 ca-bundle.crt
-rw-r--r--. 1 root root 1.4K Aug 20 12:41 default.crt
-rw-------. 1 root root 1.3K Aug 26 17:47 dtca-bundle.crt
-rw-------. 1 root root 1.3K Aug 26 17:47 dtca.crt
-rw-------. 1 root root 1.3K Aug 26 17:47 dtdi.crt
-rw-r--r--. 1 root root 2.0K Oct 28 11:21 f5_api_com.crt
-rw-r--r--. 1 root root 2.2K Mar 21 2024 f5-ca-bundle.crt
-rw-r--r--. 1 root root 1.7K Mar 21 2024 f5-irule.crt

When doing same stuff through the F5 BIG-IP GUI, working properly.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
 {
    "class": "AS3",
    "schemaVersion": "3.44.0",
    "action": "patch",
    "patchBody": [
      {
        "class": "ADC",
        "target": {
          "address": "X.X.X.X"
        },
        "op": "add",
        "path": "/Automation/APP_TEST_1.2.12.140_446",
        "value": {
          "class": "Application",
          "remark": "REFERENCE : NULL_REFERENCE_20241108140113",
          "schemaOverlay": "AS3-F5-HTTPS-offload-lb-existing-cert-template-big-iq-default-v2",
          "template": "https",
          "serviceMain": {
            "pool": "HTTPS_443_pool",
            "enable": true,
            "serverTLS": "HTTPS_443_client_ssl",
            "virtualPort": 446,
            "profileAnalytics": {
              "use": "Analytics_Profile"
            },
            "virtualAddresses": [
              "1.2.12.140"
            ],
            "persistenceMethods": [],
            "class": "Service_HTTPS"
          },
          "HTTPS_443_pool": {
            "members": [
              {
                "adminState": "enable",
                "servicePort": 443,
                "serverAddresses": [
                  "1.2.12.10"
                ]
              }
            ],
            "monitors": [
              {
                "use": "HTTPS_443_monitor"
              }
            ],
            "loadBalancingMode": "least-connections-member",
            "class": "Pool"
          },
          "HTTPS_443_monitor": {
            "send": "GET /\r\n",
            "receive": "none",
            "receiveDown": "",
            "adaptiveWindow": 180,
            "adaptiveLimitMilliseconds": 1000,
            "adaptiveDivergencePercentage": 100,
            "adaptiveDivergenceMilliseconds": 500,
            "class": "Monitor"
          },
          "HTTPS_443_client_ssl": {
            "certificates": [
              {
                "certificate": "Certificate"
              }
            ],
            "class": "TLS_Server"
          },
          "Certificate": {
            "certificate": {
              "bigip": "/Common/certif_customer.crt"
            },
            "chainCA": "/Common/intermediate.crt",
            "privateKey": {
              "bigip": "/Common/certif_customer.key"
            },
            "pkcs12Options": {
              "keyImportFormat": "pkcs8"
            },
            "class": "Certificate"
          },
          "Analytics_Profile": {
            "collectIp": false,
            "collectGeo": false,
            "collectUrl": false,
            "collectMethod": false,
            "collectUserAgent": false,
            "collectOsAndBrowser": false,
            "collectPageLoadTime": false,
            "collectResponseCode": true,
            "collectClientSideStatistics": true,
            "class": "Analytics_Profile"
          }
        }
      }
    ]
  }
  1. Observe the following error response:
  "as3_response": {
    "content": "{\"code\":422,\"message\":\"**status:422**, body:{\\\"results\\\":[{\\\"message\\\":\\\"Failed to send declaration: /declare failed with status of 422, ****declaration failed 01070712:3: unable to validate certificate, invalid x509 file**** (/Automation/APP_TEST_1.2.12.140_446/Certificate-bundle.crt)

Expected Behavior

It should deploy AS3 declaration with TLS client profile including chainCA as requested.

Actual Behavior

422 due to invalid x509 file
@rdegoix rdegoix added bug Something isn't working untriaged Issue needs to be reviewed for validity labels Nov 8, 2024
@rdegoix
Copy link
Author

rdegoix commented Nov 9, 2024

Sorry for missunderstanding :

it looks like BIG-IQ is running AS3 3.44.0 :
curl -sk -H "Content-Type: application/json" -H "X-F5-Auth-Token: $TOKEN" -X GET "https://$BIGIQ_MGMT/mgmt/shared/appsvcs/info"
{"version":"3.44.0","release":"3","schemaCurrent":"3.44.0","schemaMinimum":"3.0.0"}

My F5 BIG-IP target :

pwd

/var/config/rest/iapps/f5-appsvcs

cat version

3.44.0-3

But regarding deployment itself from BIG-IQ, I got a different schemaversion :
schemaVersion": "3.12.0"

{
"id": "autogen_a4c95a0f-13e3-4078-92c3-3a8e6ea6f10c",
"class": "ADC",
"controls": {
"class": "Controls",
"userAgent": "BIG-IQ/8.3 Configured by API"
},
"Automation": {
"class": "Tenant",
"APP_TEST_1.2.12.139_446": {
"class": "Application",
"remark": "REFERENCE : NULL_REFERENCE_20241109201819",
"template": "tcp",
"serviceMain": {
"pool": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_pool",
"class": "Service_TCP",
"enable": true,
"profileTCP": {
"use": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_tcp_profile"
},
"virtualPort": 446,
"virtualAddresses": [
"1.2.12.139"
],
"persistenceMethods": [
"source-address"
],
"profileAnalyticsTcp": {
"use": "/Automation/APP_TEST_1.2.12.139_446/Analytics_TCP_Profile"
}
},
"HTTPS_443_pool": {
"class": "Pool",
"members": [
{
"adminState": "enable",
"shareNodes": true,
"servicePort": 443,
"serverAddresses": [
"1.2.12.13"
]
}
],
"monitors": [
{
"use": "/Automation/APP_TEST_1.2.12.139_446/HTTPS_443_monitor"
}
],
"loadBalancingMode": "least-connections-member"
},
"HTTPS_443_monitor": {
"send": "GET /\r\n",
"class": "Monitor",
"receive": "none",
"targetPort": 443,
"monitorType": "http",
"adaptiveWindow": 180,
"adaptiveLimitMilliseconds": 1000,
"adaptiveDivergencePercentage": 100
},
"Analytics_TCP_Profile": {
"class": "Analytics_TCP_Profile",
"collectCity": false,
"collectRegion": true,
"collectCountry": true,
"collectNexthop": false,
"collectPostCode": false,
"collectContinent": true,
"collectRemoteHostIp": false,
"collectedByClientSide": true,
"collectedByServerSide": true,
"collectRemoteHostSubnet": true
},
"HTTPS_443_tcp_profile": {
"class": "TCP_Profile",
"synMaxRetrans": 3,
"finWaitTimeout": 5
}
}
},
"updateMode": "selective",
"schemaVersion": "3.12.0"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged Issue needs to be reviewed for validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rdegoix