From 66a4c4fc689bd21e364d97fbb6d5629f29387169 Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Fri, 6 Aug 2021 13:42:17 +0300 Subject: [PATCH 1/6] Add F5 BIGIP deploy hook --- deploy/f5_bigip.sh | 131 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 deploy/f5_bigip.sh diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh new file mode 100644 index 00000000..38c607c1 --- /dev/null +++ b/deploy/f5_bigip.sh @@ -0,0 +1,131 @@ +#!/usr/bin/env sh +# Deployment script for F5 BIGIP +# +# Written by melky +# +# All of the environment variables are optional +# DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE = yes/no - Whether to create ClientSSL profile or just install the cert/key/chain into certificate store (defaults to: no) +# (this also means that everytime a new cert/key/chain is generated you will have to add it manually to a clientssl profile) +# DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE - Changes the name of the ClientSSL profile. The limit is 255 chars (imposed by bigip itself) (defaults to: SSL-ACME-${domain}) +# DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS - allows you to change the ClientSSL profile settings (defaults to: cipher-group f5-secure ciphers none options {no-tlsv1 no-tlsv1.1 dont-insert-empty-fragments}) +# DEPLOY_F5_BIGIP_BACKUP = yes/no - Whether to keep 2 cert/key/chain combos (the installed one and a backup) at all times or delete the previously installed ones straight away (defaults to: yes) + +f5_bigip_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE + + if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" ]; then + DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE="no" + elif [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" != "yes" ] && [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" != "no" ]; then + _err "DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE can only contain yes or no" + return 1 + fi + + _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" + + if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then + _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE + _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS + + if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" ]; then + DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE="SSL-ACME-${_cdomain}" + fi + + # Since the path length limit is 255 and we are using the /Common/ partition, the length of SSL profile can only be 247 (including) (255 - 8) + if [ ${#DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} -gt 247 ]; then + _err "The maximum Client SSL profile name length is 247" + return 1 + fi + + if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}" ]; then + DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS="cipher-group f5-secure ciphers none options {no-tlsv1 no-tlsv1.1 dont-insert-empty-fragments}" + fi + + _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" + _savedeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}" + fi + + _getdeployconf DEPLOY_F5_BIGIP_BACKUP + + if [ -z "$DEPLOY_F5_BIGIP_BACKUP" ]; then + DEPLOY_F5_BIGIP_BACKUP="yes" + elif [ "${DEPLOY_F5_BIGIP_BACKUP}" != "yes" ] && [ "${DEPLOY_F5_BIGIP_BACKUP}" != "no" ]; then + _err "DEPLOY_F5_BIGIP_BACKUP can only contain yes or no" + return 1 + fi + + _savedeployconf DEPLOY_F5_BIGIP_BACKUP "$DEPLOY_F5_BIGIP_BACKUP" + + TMSH_CMD=$(command -v tmsh) + f5_bigip_tmsh +} + +f5_bigip_tmsh() { + _now=$(date +%Y-%m-%d) + _next_cert="${_cdomain}-cert-${_now}" + _next_key="${_cdomain}-key-${_now}" + _next_chain="${_cdomain}-chain-${_now}" + + if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then + _current_cert=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} cert 2>/dev/null | grep cert | awk '{print $2}') + _current_key=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} key 2>/dev/null | grep key | awk '{print $2}') + _current_chain=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} chain 2>/dev/null | grep chain | awk '{print $2}') + fi + + _info "Installing new cert/key/chain into store" + ${TMSH_CMD} install sys crypto cert ${_next_cert} from-local-file ${_ccert} + ${TMSH_CMD} install sys crypto key ${_next_key} from-local-file ${_ckey} + ${TMSH_CMD} install sys crypto cert ${_next_chain} from-local-file ${_cfullchain} + + if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then + _info "Cleaning up old cert/key/chain from the store" + f5_bigip_cleanup "cert" "cert" ${_cdomain} ${_current_cert} + f5_bigip_cleanup "key" "key" ${_cdomain} ${_current_key} + f5_bigip_cleanup "cert" "chain" ${_cdomain} ${_current_chain} + + if [ -z "$(${TMSH_CMD} list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} 2>/dev/null)" ]; then + _info "Creating new ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile" + ${TMSH_CMD} create ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \ + cert-key-chain add { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } \ + ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS} + else + _info "Updating ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile with new cert/key/chain" + ${TMSH_CMD} modify ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \ + cert-key-chain replace-all-with { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } + fi + fi +} + +f5_bigip_cleanup() { + _cert_mgmt_type=$1 + _cert_type=$2 + _domain=$3 + _current=$4 + + if [ -n "$_current" ]; then + if [ "$DEPLOY_F5_BIGIP_BACKUP" = "yes" ]; then + # Backup enabled leave 1 previous type as backup and delete everything older than it + _old_date_list=$(${TMSH_CMD} list sys crypto ${_cert_mgmt_type} | grep ${_domain}-${_cert_type} | awk '{print $4}' | awk -F'-' '{print $(NF-2) "-" $(NF-1) "-" $NF}' | sort -r | tail -n +3) + if [ -n "${_old_date_list}" ]; then + while IFS= read -r _old_date; do + _old_name="${_domain}-${_cert_type}-${_old_date}" + _debug "Deleting ${_cert_mgmt_type} ${_old_name}" + ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_old_name} + done <<< "${_old_date_list}" + fi + else + # Backup disabled, remove current type + _debug "Deleting ${_cert_mgmt_type} ${_current}" + ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_current} + fi + fi +} From c542dec92ae9005b7846b8c9e52219dbed9cc484 Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Thu, 12 Aug 2021 10:12:53 +0300 Subject: [PATCH 2/6] Support wildacards and add clarification for IDNs --- deploy/f5_bigip.sh | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh index 38c607c1..f13e3a9c 100644 --- a/deploy/f5_bigip.sh +++ b/deploy/f5_bigip.sh @@ -1,7 +1,10 @@ #!/usr/bin/env sh # Deployment script for F5 BIGIP # -# Written by melky +# IDNs are currently not supported (Only domain names that follow the [A-Za-z][0-9]()*+,-:;<=>?@[]^_|~. regex are supported) +# +# As ClientSSL profiles do not support * in their names, domain names with wildcards are replaced with a _ character, which can result in a conflict if a domain name similar to _.example.com is used +# however you can set a custom ClientSSL profile name to workaround this issue or use a regular subdomain as CN with wildcard or _ as alternative name # # All of the environment variables are optional # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE = yes/no - Whether to create ClientSSL profile or just install the cert/key/chain into certificate store (defaults to: no) @@ -21,6 +24,8 @@ f5_bigip_deploy() { _debug _ccert "$_ccert" _debug _cfullchain "$_cfullchain" + _domain="$(echo "${_cdomain}" | sed 's/\*/_/g')" + _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" ]; then @@ -37,7 +42,7 @@ f5_bigip_deploy() { _getdeployconf DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS if [ -z "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" ]; then - DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE="SSL-ACME-${_cdomain}" + DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE="SSL-ACME-${_domain}" fi # Since the path length limit is 255 and we are using the /Common/ partition, the length of SSL profile can only be 247 (including) (255 - 8) @@ -71,9 +76,9 @@ f5_bigip_deploy() { f5_bigip_tmsh() { _now=$(date +%Y-%m-%d) - _next_cert="${_cdomain}-cert-${_now}" - _next_key="${_cdomain}-key-${_now}" - _next_chain="${_cdomain}-chain-${_now}" + _next_cert="${_domain}-cert-${_now}" + _next_key="${_domain}-key-${_now}" + _next_chain="${_domain}-chain-${_now}" if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then _current_cert=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} cert 2>/dev/null | grep cert | awk '{print $2}') @@ -82,15 +87,15 @@ f5_bigip_tmsh() { fi _info "Installing new cert/key/chain into store" - ${TMSH_CMD} install sys crypto cert ${_next_cert} from-local-file ${_ccert} - ${TMSH_CMD} install sys crypto key ${_next_key} from-local-file ${_ckey} - ${TMSH_CMD} install sys crypto cert ${_next_chain} from-local-file ${_cfullchain} + ${TMSH_CMD} install sys crypto cert ${_next_cert} from-local-file "${_ccert}" + ${TMSH_CMD} install sys crypto key ${_next_key} from-local-file "${_ckey}" + ${TMSH_CMD} install sys crypto cert ${_next_chain} from-local-file "${_cfullchain}" if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then _info "Cleaning up old cert/key/chain from the store" - f5_bigip_cleanup "cert" "cert" ${_cdomain} ${_current_cert} - f5_bigip_cleanup "key" "key" ${_cdomain} ${_current_key} - f5_bigip_cleanup "cert" "chain" ${_cdomain} ${_current_chain} + f5_bigip_cleanup "cert" "cert" ${_current_cert} + f5_bigip_cleanup "key" "key" ${_current_key} + f5_bigip_cleanup "cert" "chain" ${_current_chain} if [ -z "$(${TMSH_CMD} list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} 2>/dev/null)" ]; then _info "Creating new ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile" @@ -108,8 +113,7 @@ f5_bigip_tmsh() { f5_bigip_cleanup() { _cert_mgmt_type=$1 _cert_type=$2 - _domain=$3 - _current=$4 + _current=$3 if [ -n "$_current" ]; then if [ "$DEPLOY_F5_BIGIP_BACKUP" = "yes" ]; then From e05d2bee573b64f0b338506d21bddd373c14ed14 Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Thu, 12 Aug 2021 12:07:34 +0300 Subject: [PATCH 3/6] Persist to disk --- deploy/f5_bigip.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh index f13e3a9c..97c52ea2 100644 --- a/deploy/f5_bigip.sh +++ b/deploy/f5_bigip.sh @@ -108,6 +108,7 @@ f5_bigip_tmsh() { cert-key-chain replace-all-with { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } fi fi + ${TMSH_CMD} save sys config } f5_bigip_cleanup() { From 6803029d0f26bd41ad6db963b816e2bf6de9871f Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Tue, 17 Aug 2021 09:27:46 +0300 Subject: [PATCH 4/6] Switch date to UTC timezone --- deploy/f5_bigip.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh index 97c52ea2..c8f124a4 100644 --- a/deploy/f5_bigip.sh +++ b/deploy/f5_bigip.sh @@ -75,7 +75,7 @@ f5_bigip_deploy() { } f5_bigip_tmsh() { - _now=$(date +%Y-%m-%d) + _now=$(date -u +%Y-%m-%d) _next_cert="${_domain}-cert-${_now}" _next_key="${_domain}-key-${_now}" _next_chain="${_domain}-chain-${_now}" From 61560476ee2ad97a6c2d2f4282227e54afa52179 Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:23:42 +0300 Subject: [PATCH 5/6] Fix ShellCheck errors --- deploy/f5_bigip.sh | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh index c8f124a4..3808dff4 100644 --- a/deploy/f5_bigip.sh +++ b/deploy/f5_bigip.sh @@ -81,31 +81,32 @@ f5_bigip_tmsh() { _next_chain="${_domain}-chain-${_now}" if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then - _current_cert=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} cert 2>/dev/null | grep cert | awk '{print $2}') - _current_key=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} key 2>/dev/null | grep key | awk '{print $2}') - _current_chain=$(tmsh list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} chain 2>/dev/null | grep chain | awk '{print $2}') + _current_cert=$(tmsh list ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" cert 2>/dev/null | grep cert | awk '{print $2}') + _current_key=$(tmsh list ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" key 2>/dev/null | grep key | awk '{print $2}') + _current_chain=$(tmsh list ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" chain 2>/dev/null | grep chain | awk '{print $2}') fi _info "Installing new cert/key/chain into store" - ${TMSH_CMD} install sys crypto cert ${_next_cert} from-local-file "${_ccert}" - ${TMSH_CMD} install sys crypto key ${_next_key} from-local-file "${_ckey}" - ${TMSH_CMD} install sys crypto cert ${_next_chain} from-local-file "${_cfullchain}" + ${TMSH_CMD} install sys crypto cert "${_next_cert}" from-local-file "${_ccert}" + ${TMSH_CMD} install sys crypto key "${_next_key}" from-local-file "${_ckey}" + ${TMSH_CMD} install sys crypto cert "${_next_chain}" from-local-file "${_cfullchain}" if [ "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_DISABLE}" = "no" ]; then _info "Cleaning up old cert/key/chain from the store" - f5_bigip_cleanup "cert" "cert" ${_current_cert} - f5_bigip_cleanup "key" "key" ${_current_key} - f5_bigip_cleanup "cert" "chain" ${_current_chain} + f5_bigip_cleanup "cert" "cert" "${_current_cert}" + f5_bigip_cleanup "key" "key" "${_current_key}" + f5_bigip_cleanup "cert" "chain" "${_current_chain}" - if [ -z "$(${TMSH_CMD} list ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} 2>/dev/null)" ]; then + if [ -z "$(${TMSH_CMD} list ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" 2>/dev/null)" ]; then _info "Creating new ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile" - ${TMSH_CMD} create ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \ - cert-key-chain add { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } \ + # shellcheck disable=SC2029 - this has to be disabled because of ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}, otherwise it will throw an unknown property error + ${TMSH_CMD} create ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" \ + cert-key-chain add "{" ACME "{" cert "${_next_cert}" key "${_next_key}" chain "${_next_chain}" "}" "}" \ ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS} else _info "Updating ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile with new cert/key/chain" - ${TMSH_CMD} modify ltm profile client-ssl ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} \ - cert-key-chain replace-all-with { ACME { cert ${_next_cert} key ${_next_key} chain ${_next_chain} } } + ${TMSH_CMD} modify ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" \ + cert-key-chain replace-all-with "{" ACME "{" cert "${_next_cert}" key "${_next_key}" chain "${_next_chain}" "}" "}" fi fi ${TMSH_CMD} save sys config @@ -119,18 +120,18 @@ f5_bigip_cleanup() { if [ -n "$_current" ]; then if [ "$DEPLOY_F5_BIGIP_BACKUP" = "yes" ]; then # Backup enabled leave 1 previous type as backup and delete everything older than it - _old_date_list=$(${TMSH_CMD} list sys crypto ${_cert_mgmt_type} | grep ${_domain}-${_cert_type} | awk '{print $4}' | awk -F'-' '{print $(NF-2) "-" $(NF-1) "-" $NF}' | sort -r | tail -n +3) + _old_date_list=$(${TMSH_CMD} list sys crypto "${_cert_mgmt_type}" | grep "${_domain}"-"${_cert_type}" | awk '{print $4}' | awk -F'-' '{print $(NF-2) "-" $(NF-1) "-" $NF}' | sort -r | tail -n +3) if [ -n "${_old_date_list}" ]; then - while IFS= read -r _old_date; do + echo "${_old_date_list}" | while IFS= read -r _old_date; do _old_name="${_domain}-${_cert_type}-${_old_date}" _debug "Deleting ${_cert_mgmt_type} ${_old_name}" - ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_old_name} - done <<< "${_old_date_list}" + ${TMSH_CMD} delete sys crypto "${_cert_mgmt_type}" "${_old_name}" + done fi else # Backup disabled, remove current type _debug "Deleting ${_cert_mgmt_type} ${_current}" - ${TMSH_CMD} delete sys crypto ${_cert_mgmt_type} ${_current} + ${TMSH_CMD} delete sys crypto "${_cert_mgmt_type}" "${_current}" fi fi } From bd61612d16ff4af5abd99ae1a875b067e9f1e22e Mon Sep 17 00:00:00 2001 From: melkypie <5113962+melkypie@users.noreply.github.com> Date: Wed, 18 Aug 2021 16:30:40 +0300 Subject: [PATCH 6/6] Fix shellcheck again --- deploy/f5_bigip.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/f5_bigip.sh b/deploy/f5_bigip.sh index 3808dff4..1ceaa3e1 100644 --- a/deploy/f5_bigip.sh +++ b/deploy/f5_bigip.sh @@ -11,7 +11,7 @@ # (this also means that everytime a new cert/key/chain is generated you will have to add it manually to a clientssl profile) # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE - Changes the name of the ClientSSL profile. The limit is 255 chars (imposed by bigip itself) (defaults to: SSL-ACME-${domain}) # DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS - allows you to change the ClientSSL profile settings (defaults to: cipher-group f5-secure ciphers none options {no-tlsv1 no-tlsv1.1 dont-insert-empty-fragments}) -# DEPLOY_F5_BIGIP_BACKUP = yes/no - Whether to keep 2 cert/key/chain combos (the installed one and a backup) at all times or delete the previously installed ones straight away (defaults to: yes) +# DEPLOY_F5_BIGIP_BACKUP = yes/no - Whether to keep 2 cert/key/chain combos (the installed one and a backup) at all times or delete the previously installed ones straight away (defaults to: yes) f5_bigip_deploy() { _cdomain="$1" @@ -99,7 +99,8 @@ f5_bigip_tmsh() { if [ -z "$(${TMSH_CMD} list ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" 2>/dev/null)" ]; then _info "Creating new ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE} ClientSSL profile" - # shellcheck disable=SC2029 - this has to be disabled because of ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}, otherwise it will throw an unknown property error + # This has to be disabled because of ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}, otherwise it will throw an unknown property error + # shellcheck disable=SC2086 ${TMSH_CMD} create ltm profile client-ssl "${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE}" \ cert-key-chain add "{" ACME "{" cert "${_next_cert}" key "${_next_key}" chain "${_next_chain}" "}" "}" \ ${DEPLOY_F5_BIGIP_CLIENT_SSL_PROFILE_SETTINGS}