f5networks.f5_modules.bigip_device_certificate – Manage self-signed device certificates

Note

This plugin is part of the f5networks.f5_modules collection (version 1.9.0).

To install it use: ansible-galaxy collection install f5networks.f5_modules.

To use it in a playbook, specify: f5networks.f5_modules.bigip_device_certificate.

New in version 1.0.0: of f5networks.f5_modules

Synopsis

  • Module used to create and/or renew self-signed device certificates for BIG-IP.

Parameters

Parameter Choices/Defaults Comments
add_to_trusted
boolean
    Choices:
  • no ←
  • yes
Specified if the certificate should be added to the trusted client and server certificate files.
cert_name
string
Default:
"server.crt"
Specifies the full name of the certificate file.
If the name is not default server.crt, the module will configure httpd to use them prior to restarting the httpd daemon.
days_valid
integer / required
Specifies the interval for which the self-signed certificate is valid.
The maximum value is 25 years: 9125 days
force
boolean
    Choices:
  • no ←
  • yes
When yes, will update or overwrite the existing certificate when it is not expired on the device.
When no, the certificate will only be updated/overwritten if expired.
Generally should be yes only in cases where you need to update certificate that is about to expire.
This option is also needed when generating a new certificate to replace non-expired one.
issuer
dictionary
Certificate properties, required when generating new certificates.
common_name
string
Specifies the Common Name attribute for the certificate.
country
string
Specifies the Country name attribute for the certificate.
division
string
Specifies the department name attribute for the certificate.
email
string
Specifies the email address of the domain administrator.
locality
string
Specifies the city or town name for the certificate.
organization
string
Specifies the Organization attribute for the certificate.
state
string
Specifies the State or Province attribute for the certificate.
key_name
string
Default:
"server.key"
Specifies the full name of the key file.
If the name is not default server.key, the module will configure httpd to use them prior to restarting the httpd daemon.
key_size
integer
    Choices:
  • 512
  • 1024
  • 2048
  • 4096
Default:
2048
Specifies the desired key size in bits.
Mandatory option when generating a new certificate.
new_cert
boolean
    Choices:
  • no ←
  • yes
Specified if the module should generate a new certificate.
When yes, the device certificate and key will be replaced.
provider
dictionary
added in 1.0.0 of f5networks.f5_modules
A dict object containing connection details.
auth_provider
string
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
no_f5_teem
boolean
    Choices:
  • no
  • yes
If yes, TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable F5_TEEM.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
Default:
22
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
ssh_keyfile
path
Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports.
You may omit this option by setting the environment variable ANSIBLE_NET_SSH_KEYFILE.
timeout
integer
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport
string
    Choices:
  • cli ←
Configures the transport connection to use when connecting to the remote device.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.

  • Requires BIG-IP software version >= 12.

  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Update expired certificate
  bigip_device_certificate:
    days_valid: 365
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Update expired certificate non-default names
  bigip_device_certificate:
    days_valid: 60
    cert_name: custom.crt
    key_name: custom.key
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Force update not expired certificate
  bigip_device_certificate:
    days_valid: 365
    force: yes
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Create a new certificate to replace expired certificate
  bigip_device_certificate:
    days_valid: 365
    new_cert: yes
    issuer:
      country: US
      state: WA
      common_name: foobar.foo.local
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

- name: Force create a new custom named certificate to replace not expired certificate
  bigip_device_certificate:
    days_valid: 365
    cert_name: custom.crt
    key_name: custom.key
    new_cert: yes
    force: yes
    issuer:
      country: US
      state: WA
      common_name: foobar.foo.local
    key_size: 2048
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
      transport: cli
      server_port: 22
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cert_name
string
changed
The full name of the certificate file.

Sample:
common.crt
days_valid
integer
changed
The interval for which the self-signed certificate is valid.

Sample:
365
issuer
complex
changed
Specifies certificate properties.

 
common_name
string
changed
The Common Name attribute of the certificate.

Sample:
foo.bar.local
 
country
string
changed
The Country name attribute of the certificate.

Sample:
US
 
division
string
changed
The department name attribute of the certificate.

Sample:
IT
 
email
string
changed
The domain administrator's email address.

Sample:
 
locality
string
changed
The city or town name attribute of the certificate.

Sample:
Seattle
 
organization
string
changed
The Organization attribute of the certificate.

Sample:
F5
 
state
string
changed
The State or Province attribute of the certificate.

Sample:
WA
key_name
string
changed
The full name of the key file.

Sample:
common.key
key_size
integer
changed
The desired key size in bits.

Sample:
2048


Authors

  • Wojciech Wypior (@wojtek0806)