You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

136 lines
6.5 KiB

3 years ago
  1. #!/usr/bin/env sh
  2. # Deployment script for F5 BIGIP
  3. #
  4. # IDNs are currently not supported (Only domain names that follow the [A-Za-z][0-9]()*+,-:;<=>?@[]^_|~. regex are supported)
  5. #
  6. # As ClientSSL profiles do not support * in their names, domain names with wildcards are replaced with a _ character, which can result in a conflict if a domain name similar to _.example.com is used
  7. # however you can set a custom ClientSSL profile name to workaround this issue or use a regular subdomain as CN with wildcard or _ as alternative name
  8. #
  9. # All of the environment variables are optional
  10. # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE = yes/no - Whether to create ClientSSL profile or just install the cert/key/chain into certificate store (defaults to: no)
  11. # (this also means that everytime a new cert/key/chain is generated you will have to add it manually to a clientssl profile)
  12. # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE - Changes the name of the ClientSSL profile. The limit is 255 chars (imposed by bigip itself) (defaults to: SSL-ACME-${domain})
  13. # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS - allows you to change the ClientSSL profile settings (defaults to: cipher-group f5-secure ciphers none options {no-tlsv1 no-tlsv1.1 dont-insert-empty-fragments})
  14. # DEPLOY_F5_BIGIP_BACKUP = yes/no - Whether to keep 2 cert/key/chain combos (the installed one and a backup) at all times or delete the previously installed ones straight away (defaults to: yes)
  15. f5_bigip_deploy() {
  16. _cdomain="$1"
  17. _ckey="$2"
  18. _ccert="$3"
  19. _cfullchain="$5"
  20. _debug _cdomain "$_cdomain"
  21. _debug _ckey "$_ckey"
  22. _debug _ccert "$_ccert"
  23. _debug _cfullchain "$_cfullchain"
  24. _domain="$(echo "${_cdomain}" | sed 's/\*/_/g')"
  25. _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE
  26. if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" ]; then
  27. DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE="no"
  28. elif [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" != "yes" ] && [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" != "no" ]; then
  29. _err "DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE can only contain yes or no"
  30. return 1
  31. fi
  32. _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}"
  33. if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then
  34. _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE
  35. _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS
  36. if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" ]; then
  37. DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE="SSL-ACME-${_domain}"
  38. fi
  39. # Since the path length limit is 255 and we are using the /Common/ partition, the length of SSL profile can only be 247 (including) (255 - 8)
  40. if [ ${#DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} -gt 247 ]; then
  41. _err "The maximum Client SSL profile name length is 247"
  42. return 1
  43. fi
  44. if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}" ]; then
  45. DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS="cipher-group f5-secure ciphers none options {no-tlsv1 no-tlsv1.1 dont-insert-empty-fragments}"
  46. fi
  47. _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}"
  48. _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}"
  49. fi
  50. _getdeployconf DEPLOY_F5_BIGIP_BACKUP
  51. if [ -z "$DEPLOY_F5_BIGIP_BACKUP" ]; then
  52. DEPLOY_F5_BIGIP_BACKUP="yes"
  53. elif [ "${DEPLOY_F5_BIGIP_BACKUP}" != "yes" ] && [ "${DEPLOY_F5_BIGIP_BACKUP}" != "no" ]; then
  54. _err "DEPLOY_F5_BIGIP_BACKUP can only contain yes or no"
  55. return 1
  56. fi
  57. _savedeployconf DEPLOY_F5_BIGIP_BACKUP "$DEPLOY_F5_BIGIP_BACKUP"
  58. TMSH_CMD=$(command -v tmsh)
  59. f5_bigip_tmsh
  60. }
  61. f5_bigip_tmsh() {
  62. _now=$(date +%Y-%m-%d)
  63. _next_cert="${_domain}-cert-${_now}"
  64. _next_key="${_domain}-key-${_now}"
  65. _next_chain="${_domain}-chain-${_now}"
  66. if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then
  67. _current_cert=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} cert 2>/dev/null | grep cert | awk '{print $2}')
  68. _current_key=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} key 2>/dev/null | grep key | awk '{print $2}')
  69. _current_chain=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} chain 2>/dev/null | grep chain | awk '{print $2}')
  70. fi
  71. _info "Installing new cert/key/chain into store"
  72. ${TMSH_CMD} install sys crypto cert ${_next_cert} from-local-file "${_ccert}"
  73. ${TMSH_CMD} install sys crypto key ${_next_key} from-local-file "${_ckey}"
  74. ${TMSH_CMD} install sys crypto cert ${_next_chain} from-local-file "${_cfullchain}"
  75. if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then
  76. _info "Cleaning up old cert/key/chain from the store"
  77. f5_bigip_cleanup "cert" "cert" ${_current_cert}
  78. f5_bigip_cleanup "key" "key" ${_current_key}
  79. f5_bigip_cleanup "cert" "chain" ${_current_chain}
  80. if [ -z "$(${TMSH_CMD} list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} 2>/dev/null)" ]; then
  81. _info "Creating new ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile"
  82. ${TMSH_CMD} create ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \
  83. cert-key-chain add { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } \
  84. ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}
  85. else
  86. _info "Updating ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile with new cert/key/chain"
  87. ${TMSH_CMD} modify ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \
  88. cert-key-chain replace-all-with { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } }
  89. fi
  90. fi
  91. ${TMSH_CMD} save sys config
  92. }
  93. f5_bigip_cleanup() {
  94. _cert_mgmt_type=$1
  95. _cert_type=$2
  96. _current=$3
  97. if [ -n "$_current" ]; then
  98. if [ "$DEPLOY_F5_BIGIP_BACKUP" = "yes" ]; then
  99. # Backup enabled leave 1 previous type as backup and delete everything older than it
  100. _old_date_list=$(${TMSH_CMD} list sys crypto ${_cert_mgmt_type} | grep ${_domain}-${_cert_type} | awk '{print $4}' | awk -F'-' '{print $(NF-2) "-" $(NF-1) "-" $NF}' | sort -r | tail -n +3)
  101. if [ -n "${_old_date_list}" ]; then
  102. while IFS= read -r _old_date; do
  103. _old_name="${_domain}-${_cert_type}-${_old_date}"
  104. _debug "Deleting ${_cert_mgmt_type} ${_old_name}"
  105. ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_old_name}
  106. done <<< "${_old_date_list}"
  107. fi
  108. else
  109. # Backup disabled, remove current type
  110. _debug "Deleting ${_cert_mgmt_type} ${_current}"
  111. ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_current}
  112. fi
  113. fi
  114. }