Using the connector

The connector handles both the issuance and renewal of a certificate by checking BIG-IP to see whether a certificate with the given Common Name already exists.

If a certificate with the name specified in the certificate profile file already exists on BIG-IP and is in the expiry window or revoked, the connector renews the certificate.
When a certificate is renewed, the connector automatically installs the new certificate on the BIG-IP appliance and updates the client SSL profile(s) with the new key, certificate, and passphrase.
During execution, the connector also checks for the certificate attribute change in the certificate profile—if a change is recognized for an existing certificate (for example, an updated key type or size), it renews the certificate.

All available options for the connector.

./start_acme.py [-h] [-v] [-f path/to/f5_demo.yaml] [-c path/to/creds.txt] [-o {run,validate}] [--loglevel {info,debug,warning,error}]

For more information about available options, run ./start_acme.py -h.

Validate the certificate profile files

To validate the certificate profile files, run the command with the --operation or -o flag.

All files
Specific files

To validate all files under /etc/sectigo:

./start_acme.py -o validate

To validate specific files:

./start_acme.py -f path/to/f5_demo.yaml -o validate

Process certificate profiles to enroll/renew certificates

By default, the connector processes all certificate profile files present in the /etc/sectigo directory.

./start_acme.py

To process specific certificate profile files in these locations, run the command with the --files or -f flag.

./start_acme.py -f <f5_demo.yaml> [,<f5_demo2.yaml>]

If the files are stored in a different location, specify the the full path with one of the following commands.

All files under default path
Specific files
All files under custom path

To process all files under /etc/sectigo:

./start_acme.py

To process specific files:

./start_acme.py -f </path/f5_demo.yaml> [,</path/f5_demo2.yaml>]

To process all files under specific path:

./start_acme.py -f </path*.yaml>

Automate the enrollment/renewal

To automate the execution, set up a cronjob that will invoke the script on a schedule (see crontab for cron schedule expressions) to check the certificate expiry status:

Run crontab -e on the terminal.
Add a cronjob that will trigger the script.

The following example will trigger start_acme.py every 12 hours.
```
0 */12 * * * /opt/sectigo/start_acme.py > /dev/null 2>&1
```

Revoke and replace a certificate

Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed.

Decommission a certificate

If you decide to revoke and decommission a certificate from further use:

Log in to SCM, find the certificate by its Common Name, and revoke it.
Log in to the connector machine, navigate to the /etc/sectigo directory, and remove the corresponding certificate profile file that was created for the certificate.

This will prevent a new certificate being created for the decommissioned virtual server.

View the logs

The installation logs are stored in the ./install.log file. The runtime (enrollment) logs are stored in the /var/log/sectigo-f5-bigip/ directory.

If you create a support ticket, include the logs.

You can use the -L or --loglevel option to change the log level. The supported log levels are error, warning, info, and debug. For example, to log messages with level warning or higher (including error), run the following command.

./start_acme.py --loglevel warning

The --log-level option only applies to stdout logs. File logging always works on debug level for troubleshooting/auditing.

To log error and higher (to reduce debug messages displayed on the console), run the following command.

./start_acme.py --loglevel error