Sectigo.com
Shop Enterprise Partners Resources

Using the connector

The connector handles both the issuance and renewal of a certificate by checking BIG-IP to see whether a certificate with the given Common Name already exists on the appliance:

  • If a certificate with the name specified in the certificate profile file already exists on BIG-IP and is in the expiry window (by default it’s 30 days, but can be configured using EXPIRY_WINDOW parameter in the env file) or revoked, the connector renews the certificate.

  • When a certificate is renewed, the connector automatically installs the new certificate on the BIG-IP appliance and updates the custom client SSL profile with the new key, certificate, and password.

  • During execution, the connector also checks for the certificate attribute change in the YAML file—​if a change is recognized for an existing certificate (for example, an updated key type or size), it initiates a call to BIG-IP, creates a new key pair using the new key type, and connects to the Sectigo ACME server for issuance of a new certificate with the new public key algorithm.

All available options for the connector.

./start_acme.py [-h] [-v] [-f path/to/f5_demo.yaml] [-c path/to/creds.txt] [-o {run,validate}] [--loglevel {info,debug,warning,error}]

For more information about available options, run ./start_acme.py -h.

Validate the certificate profile files

To validate the certificate profile files, run the command with the --operation or -o flag.

  • All files

  • Specific files

To validate all files under /etc/sectigo:

./start_acme.py -o validate

To validate specific files:

./start_acme.py -f path/to/f5_demo.yaml -o validate

Enroll a certificate

By default, the connector enrolls certificates for all certificate profile files present in the /etc/sectigo directory or, if available, the directory indicated in the CFG_LOCATION environment variable.

./start_acme.py

To enroll certificates for specific certificate profile files in these locations, run the command with the --files or -f flag.

./start_acme.py -f <f5_demo>.yaml [,<f5_demo2>.yaml]

If the files are stored in a different location, specify the the full path with one of the following commands.

  • All files under default path

  • Specific files

  • All files under custom path

To validate all files under /etc/sectigo:

./start_acme.py -f </path/f5_demo>.yaml

To validate specific files:

./start_acme.py -f </path/f5_demo>.yaml [,</path/f5_demo2>.yaml]

To validate all files under specific path:

./start_acme.py -f </path>*.yaml

Automate the enrollment

The start_acme.py script can be used as a cronjob—​it will be executed at the defined time interval and run the required command. When the start_acme.py automation script runs, it reads the YAML files stored in the /etc/sectigo directory to enroll or renew the certificates for the virtual servers.

If you’re using a distribution with an automated renewal setup, make sure it’s not running at the same time as the cronjob as it may result in conflicts.

The script automatically sets the SCM ACME credentials based on their definition in the env file, checks the certificate profile files, and renews the certificates.

To automate the execution, set up a cronjob that will invoke the script on a schedule (see crontab for cron schedule expressions) to check the certificate expiry status:

  1. Run crontab -e on the terminal.

  2. Add a cronjob that will trigger the script.

    The following example will trigger start_acme.py every 12 hours.

    0 */12 * * * /opt/sectigo/start_acme.py > /dev/null 2>&1

Revoke and replace a certificate

Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed.

Decommission a certificate

If you decide to revoke and decommission a certificate from further use:

  1. Log in to SCM, find the certificate by its Common Name, and revoke it.

  2. Log in to the connector machine, navigate to the /etc/sectigo directory, and remove the corresponding certificate profile file that was created for the certificate.

This will prevent a new certificate being created for the decommissioned virtual server.

View the logs

The installation logs are stored in the ./install.log file. The runtime (enrollment) logs are stored in the /var/log/sectigo-f5-bigip/ directory.

If you create a support ticket, include the logs.

You can use the -L or --loglevel option to change the log level. The supported log levels are error, warning, info, and debug. For example, to log messages with level warning or higher (including error), run the following command.

./start_acme.py --loglevel warning

The --log-level option only applies to stdout logs. File logging always works on debug level for troubleshooting/auditing.

To log error and higher (to reduce debug messages displayed on the console), run the following command.

./start_acme.py --loglevel error