Certificate request/renew with F5 Load Balancer #202

New Issue

adam · 2025-12-29T01:18:52+01:00

adam commented

2025-12-29 01:18:52 +01:00

Originally created by @fpeterson194 on GitHub (Mar 9, 2017).

Hello all,

I want to know if you have any experience with implementing let´s encrypt for servers behind an F5 BIG IP Load Balancer.

I have read the article below:
https://community.letsencrypt.org/t/certificates-for-internal-servers-and-servers-behind-load-balancers/6758

In addition, I found out that there is an script in the F5 forum with several files and rules to configure to achieve the automation. This is the forum article:

https://devcentral.f5.com/codeshare/lets-encrypt-on-a-big-ip?lc=1
http://wiki.lnxgeek.org/doku.php/indexes:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip

I read all the article, took a high level overview at the code and I have some questions. All this points to the work done by @lukas2511 (Thanks @lukas2511 !!)

My goal is to clearly understand step by step the way to implement this.

Based on the article from wiki.lnxgeek.org, this is what I understand:

Create a Data group to contain the challenge-response values with the following command:
tmsh create ltm data-group internal acme_responses type string
1.1. Where should I execute this? Any pre-requisites to execute it? I´m not keen on F5. I would appreciate some details on this.
Create an iRule
2.1. Where should I create the iRule within F5 console?
Client SSL Profiles
3.1. How this works? Should I create any object for this?
Fill the domains.txt file with the domains you want to retrieve a certificate/renew
4.1. If I need to create a brand new certificate for a farm of webservers, I just add a brand new line to this domains.txt file like "mainDomain san1 san2..." one per line and that´s all?
4.2. How the renewal works here? I check that in the config file you can put the amount of days to renew.
Customize your script with the config file
5.3. Where should I put all these files: wrapper.sh, letsencrypt.sh, hook.sh, config? Inside any folder within F5?
Execute the wrapper.sh or directly the letsencrypt.sh (with -c parameter)
6.1. How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
6.2. Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
6.3. It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
6.4. Has this script any limitations in terms of webserver´s platforms or is independent?

Thanks in advance!!

Originally created by @fpeterson194 on GitHub (Mar 9, 2017). Hello all, I want to know if you have any experience with implementing let´s encrypt for servers behind an F5 BIG IP Load Balancer. I have read the article below: https://community.letsencrypt.org/t/certificates-for-internal-servers-and-servers-behind-load-balancers/6758 In addition, I found out that there is an script in the F5 forum with several files and rules to configure to achieve the automation. This is the forum article: https://devcentral.f5.com/codeshare/lets-encrypt-on-a-big-ip?lc=1 http://wiki.lnxgeek.org/doku.php/indexes:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip I read all the article, took a high level overview at the code and I have some questions. All this points to the work done by @lukas2511 (Thanks @lukas2511 !!) My goal is to clearly understand step by step the way to implement this. Based on the article from wiki.lnxgeek.org, this is what I understand: 1. Create a Data group to contain the challenge-response values with the following command: tmsh create ltm data-group internal acme_responses type string 1.1. Where should I execute this? Any pre-requisites to execute it? I´m not keen on F5. I would appreciate some details on this. 2. Create an iRule 2.1. Where should I create the iRule within F5 console? 3. Client SSL Profiles 3.1. How this works? Should I create any object for this? 4. Fill the domains.txt file with the domains you want to retrieve a certificate/renew 4.1. If I need to create a brand new certificate for a farm of webservers, I just add a brand new line to this domains.txt file like "mainDomain san1 san2..." one per line and that´s all? 4.2. How the renewal works here? I check that in the config file you can put the amount of days to renew. 5. Customize your script with the config file 5.3. Where should I put all these files: wrapper.sh, letsencrypt.sh, hook.sh, config? Inside any folder within F5? 6. Execute the wrapper.sh or directly the letsencrypt.sh (with -c parameter) 6.1. How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out? 6.2. Does this script distribute the new certificate (request or renew) to all the web servers in my farm? 6.3. It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server? 6.4. Has this script any limitations in terms of webserver´s platforms or is independent? Thanks in advance!!

adam closed this issue

2025-12-29 01:18:52 +01:00

adam commented

2025-12-29 01:18:53 +01:00

@lukas2511 commented on GitHub (Jul 10, 2017):

I have no idea about this device and I don't think this issue belongs here. I hope you have found a way to get stuff working.

@lukas2511 commented on GitHub (Jul 10, 2017): I have no idea about this device and I don't think this issue belongs here. I hope you have found a way to get stuff working.

adam referenced this issue

2025-12-29 01:28:58 +01:00

[PR #202] [CLOSED] Fix issues on 2016-05-18. Remove new lines from json response. #752

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#202