<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Usually SSL certs don't change every day. The approach I have taken is
tar ball them all and scp over. Then do those manual steps only when
the certs change.<br>
<br>
Thanks,<br>
Sam<br>
<blockquote
cite="mid:370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">I
added the SSL directory listings to track changes to SSL certs
[adds/removals/updates]. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Storing
these as part of the config within rancid would be reasonable
only if there were very few certs. They are best archived elsewhere by
backing up the .ucs file as Marcus mentioned, an rsync to a backup host
or
similar methods. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"> marcus
gaysek
[<a class="moz-txt-link-freetext" href="mailto:mgaysek@gmail.com">mailto:mgaysek@gmail.com</a>] <br>
<b>Sent:</b> Monday, April 20, 2009 12:49 PM<br>
<b>To:</b> john heasley<br>
<b>Cc:</b> Mike Ashcraft; <a class="moz-txt-link-abbreviated" href="mailto:rancid-discuss@shrubbery.net">rancid-discuss@shrubbery.net</a><br>
<b>Subject:</b> Re: [rancid] Re: F5 ("bigip") script<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom: 12pt;">Those are actually
directories. The name of the certs are always different. <br>
<br>
Both cat and more are available (BigIPs are linux/bsd based). I
believe
all the files below ssl directory are required, excluding
ca-bundle.crt.
The amount of files depends on how many certs are installed on the
device. <br>
<br>
There are four directories: ssl.crl ssl.crt ssl.csr ssl.key<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On Mon, Apr 20, 2009 at 2:37 PM, john heasley
<<a moz-do-not-send="true" href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>>
wrote:<o:p></o:p></p>
<p class="MsoNormal">Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus
gaysek:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom: 12pt;">> The certs are
located in
in the config/ssl/ sub-directories, which would<br>
> need to be download'd. I would think that functionality would be
outside
of<br>
> Rancid, but if you lost your LTM you would need them to rebuild a
new one.<br>
> You capture their names as part of the config. They are listed in
the last<br>
> few lines.<o:p></o:p></p>
</div>
<p class="MsoNormal">if they're always these files<br>
{'ls --full-time --color=never /config/ssl/ssl.crt'
=> 'ShowSslCrt'},<br>
{'ls --full-time --color=never /config/ssl/ssl.key'
=> 'ShowSslKey'},<br>
is there a "cat" or "more" command? Their contents
should be ascii.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
> There is a command in the BigIP devices (GTMs and LTMs) that
captures all<br>
> the files and compresses them in a .ucs file. Once they are
created
they<br>
> can be downloaded and used to restore a BigIP.<br>
><br>
> On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft <<a
moz-do-not-send="true" href="mailto:mashcraft@omniture.com">mashcraft@omniture.com</a>>wrote:<br>
><br>
> > LTM = Local Traffic Manager = F5 Big-IP<br>
> ><br>
> > Thanks<br>
> ><br>
> > -----Original Message-----<br>
> > From: <a moz-do-not-send="true"
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</a>
[mailto:<br>
> > <a moz-do-not-send="true"
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</a>]
On Behalf Of john heasley<br>
> > Sent: Monday, April 20, 2009 11:29 AM<br>
> > To: marcus gaysek<br>
> > Cc: <a moz-do-not-send="true"
href="mailto:rancid-discuss@shrubbery.net">rancid-discuss@shrubbery.net</a><br>
> > Subject: [rancid] Re: F5 ("bigip") script<br>
> ><br>
> > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek:<br>
> > > I have tested with a couple of Cisco devices, including
an ASA
and I am<br>
> > not<br>
> > > seeing the formatting issues I have seen in the past.<br>
> ><br>
> > thats probably luck.<br>
> ><br>
> > > The LTM config looks great. The only thing that I can
see
that needs to<br>
> > be<br>
> ><br>
> > what is 'LTM'?<br>
> ><br>
> > > manually downloaded are the certs. All in all this seems
to be a
great<br>
> > > improvemant. Thanks for making it work.<br>
> ><br>
> > The certs are in the configuration? is there a command or
option to get<br>
> > them?<br>
> ><br>
> > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink <<a
moz-do-not-send="true" href="mailto:teun@moonblade.net">teun@moonblade.net</a>>
wrote:<br>
> > ><br>
> > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley
wrote:<br>
> > > > > I don't have a F5 box, but had put together a
script
while someone<br>
> > had<br>
> > > > > provided remote access, but hadn't finished
testing
it. Would<br>
> > someone<br>
> > > > > with one an F5 download<br>
> > > > > <a moz-do-not-send="true"
href="ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz"
target="_blank">ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz</a><br>
> > > > > and test it, please.<br>
> > > ><br>
> > > > Just did a quick test, it works fine for me. I had
some
issues with the<br>
> > > > previous version which seemed to have some ordering
issues
in the<br>
> > > > output, which resulted in false diffs every single
run. I
don't see<br>
> > them<br>
> > > > in this version, so I'm happy :)<br>
> > > ><br>
> > > > regards,<br>
> > > > Teun<br>
> > > ><br>
> > > > _______________________________________________<br>
> > > > Rancid-discuss mailing list<br>
> > > > <a moz-do-not-send="true"
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
> > > > <a moz-do-not-send="true"
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss"
target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</a><br>
> > > ><br>
> > _______________________________________________<br>
> > Rancid-discuss mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
> > <a moz-do-not-send="true"
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss"
target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</a><br>
> > _______________________________________________<br>
> > Rancid-discuss mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
> > <a moz-do-not-send="true"
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss"
target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</a><br>
> ><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Rancid-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</a></pre>
</blockquote>
<br>
</body>
</html>