{"id":20329868,"url":"https://github.com/f5devcentral/lets-encrypt-python","last_synced_at":"2025-04-11T21:00:26.017Z","repository":{"id":37677958,"uuid":"65928070","full_name":"f5devcentral/lets-encrypt-python","owner":"f5devcentral","description":null,"archived":false,"fork":false,"pushed_at":"2024-03-12T21:07:00.000Z","size":214,"stargazers_count":50,"open_issues_count":4,"forks_count":12,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-25T16:55:33.401Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f5devcentral.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-08-17T17:27:24.000Z","updated_at":"2025-02-27T10:57:57.000Z","dependencies_parsed_at":"2024-03-02T03:20:53.946Z","dependency_job_id":"a9e49664-d406-4f50-95f1-3b44ae51007c","html_url":"https://github.com/f5devcentral/lets-encrypt-python","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Flets-encrypt-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Flets-encrypt-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Flets-encrypt-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Flets-encrypt-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f5devcentral","download_url":"https://codeload.github.com/f5devcentral/lets-encrypt-python/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248480435,"owners_count":21110936,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:13:50.182Z","updated_at":"2025-04-11T21:00:25.745Z","avatar_url":"https://github.com/f5devcentral.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Synopsis\n\nThis project is a rewrite of my original project ([archived](archive)) based on Lukas2511's letsencrypt.sh shell script \nas the basis for deploying certificates to an F5 BIG-IP. This update utilizes Lukas2511's \n[dehydrated](https://github.com/dehydrated-io/dehydrated)\nacme client.\n\nSecondly, this update uses the HTTP challenge instead of the DNS challenge I used in the original project.\n\nFinally, it still utilizes F5's iControl REST interface to upload and configure the certificates, but I swap\nout the mostly-retired [f5-sdk](https://github.com/f5networks/f5-common-python) library for the\n[bigrest](https://github.com/leonardobdes/BIGREST) library.\n\n**(Overridden by Tim Riker) Removed from this project altogether is the creation of client SSL profiles, as that is a separate function\nthan certificate management and should have its own workflow.\n\n### [Tim Riker](https://rikers.org) added\n* run as non-root in a working directory\n* include full chain in .crt so no separate chain is needed\n* create or update certs/keys\n* create client-ssl profiles if missing\n* irule uses a datagroup to handle multiple challenges for multiple names in a certificate.\n\n## [Scott Campbell](https://github.com/ScottECampbell) September 2023\n\n* Moved all environmental variables to configuration files so that this script can be used on multiple domains/certificates on the same run of dehydrated.\n* Added \".f5creds\" JSON file which gives the host, user and password for LB access.  The user defined MUST be a LB Administrator otherwise the REST API will not function properly.\n* Added \"virtual_servers\" JSON file which maps the SSL certificate domains to their LB Virtual Server names since they do not always match **HTTP version of VS if available.\n* Added logic for SAN certs where both domains need verification and irule will be attached (and attempted deletion) on both domains.\n* Added variable to hook_script.py for SSL Client Parent Profile used for new SSL profiles with all desired settings included.\n* Fixed logic bug that would break processing if met with VS with no existing irules on LB.\n* Created bash script \"cron_wrapper\" so that process can be run from cron or command line and includes activation of correct python virtual environment (if required).\n\n## Getting Started\n\nInstall dehydrated. On Debian based distros this probably works:\n\n```bash\n$ sudo apt install dehydrated\n```\n\nInstall bigrest in python\n```bash\n$ pip install bigrest\n```\nSet CONTACT_EMAIL in config to your email.\n\nregister with dehydrated\n```bash\n$ dehydrated -f config --register --accept-terms\n```\n\nEdit virtual_servers file to include domain x Virtual Server mapping\n\nAdd your domains and aliases to domains.txt and try a request\n```bash\n$ dehydrated -f config -c --force --force-validation\n```\n\n\n## Test Setup\n```bash\nconfig # Dehydrated configuration file (edit CONTACT_EMAIL)\ndomains.txt # Domains to sign and generate certs for (add names and aliases)\nvirtual_servers # Domains x Virtual Servers mapping on F5 Loadbalancer\ndehydrated # acme client (install)\nbigrest # install python library\nrule_le_challenge.iRule # iRule configured and deployed to BIG-IP by the hook script\nhook_script.py # Python script called by dehydrated for special steps in the cert generation process\n\n# Environment Variables (credentials moved to .f5creds file, vs_vip listings moved to virtual_servers file - S Campbell)\n#export F5_HOST=f.q.d.n\n#export F5_USER=admin\n#export F5_PASS=admin\n#export F5_HTTP=vs_vip-name_HTTP\n#export F5_HTTPS=vs_vip-name_HTTPS\n```\n## Usage\n\n### Testing - Stage API\n```bash\n$ dehydrated -f config -c --force --force-validation\n```\n\n### Otherwise\n```bash\n$ dehydrated -f config -c -g\nor\n$ cron_wrapper\n```\n\n## Expected Output\n\n```bash\n$ dehydrated -f config -c --force --force-validation\n# INFO: Using main config file config\nProcessing example.com\n + Checking domain name(s) of existing cert... unchanged.\n + Checking expire date of existing cert...\n + Valid till Dec  7 17:08:55 2022 GMT (Longer than 30 days). Ignoring because renew was forced!\n + Signing domains...\n + Generating private key...\n + Generating signing request...\n + Requesting new certificate order from CA...\n + Received 1 authorizations URLs from the CA\n + Handling authorization for example.com\n + A valid authorization has been found but will be ignored\n + 1 pending challenge(s)\n + Deploying challenge tokens...\n + (hook) Deploying Challenge example.com\n + (hook) irule rule_le_challenge added.\n + (hook) datagroup dg_le_challenge added.\n + (hook) Challenge rule added to virtual vs_example.com_HTTP.\n + (hook) Challenge added to datagroup dg_le_challenge for example.com.\n + Responding to challenge for example.com authorization...\n + Challenge is valid!\n + Cleaning challenge tokens...\n + (hook) Cleaning Challenge example.com\n + (hook) Challenge rule rule_le_challenge removed from virtual vs_example.com_HTTP.\n + (hook) irule rule_le_challenge removed.\n + (hook) datagroup dg_le_challenge removed.\n + Requesting certificate...\n + Checking certificate...\n + Done!\n + Creating fullchain.pem...\n + (hook) Deploying Certs example.com\n + (hook) Cert/Key example.com updated in transaction.\n + Done!\n```\n![Certs on BIG-IP](img/le_certs_bigip.png)\n![Cert Details](img/le_cert_details.png)\n\n## Caveats\nI tested one use case for a standard domain. Let's Encrypt and dehydrated support far more\nthan I tested, so you'll likely need to do additional development to support those.\n\n* S Campbell - added ability for multiple certificates including SAN certificates \n* virtual_servers file needs an entry for EACH SAN. Could investigate \"HOOK_CHAIN=yes\" functionality in dehydrated and then change hook script to deal with all SANs at once.\n\n## Contributors\n\nThis update is made possible by:\n\n* https://github.com/dehydrated-io/dehydrated\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Flets-encrypt-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5devcentral%2Flets-encrypt-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Flets-encrypt-python/lists"}