Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for OCSP in certificate resource #850

Closed
amolari opened this issue Aug 18, 2023 · 3 comments · Fixed by #882 or #885
Closed

Add support for OCSP in certificate resource #850

amolari opened this issue Aug 18, 2023 · 3 comments · Fixed by #882 or #885
Labels
Backlog issue will be tracked by JIRA in backlog enhancement
Milestone
v1.20.0

Comments

@amolari
Copy link

amolari commented Aug 18, 2023

Is your feature request related to a problem? Please describe.

We want to be able to configure OCSP stapling. In a first step, the requirement is to configure OCSP for the SSL certificate.
Today it's not possible with TF (resource bigip_ssl_certificate).

Describe the solution you'd like

Add support for OCSP configuration in the SSL certificate object.
We would like to have it implemented along with the new requested resource bigip_ssl_key_certificate (ref: #832)

Describe alternatives you've considered

Additional context

Add any other context or screenshots about the feature request here.
@pgouband
Copy link
Collaborator

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1286.

@pgouband pgouband added the Backlog issue will be tracked by JIRA in backlog label Aug 30, 2023
@urohit011 urohit011 mentioned this issue Oct 11, 2023
Merged
This was referenced Oct 11, 2023
Merged
Merged
@RavinderReddyF5 RavinderReddyF5 added this to the v1.20.0 milestone Oct 11, 2023
@amolari
Copy link
Author

amolari commented Oct 19, 2023
edited

@RavinderReddyF5 @pgouband
Hi
Testing this with v1.20.0 I do see the following issue:
when I configure the OCSP settings in a bigip_ssl_key_cert resource , it's working fine. Changes too. However, if I re-run with those settings commented, such as:

resource "bigip_ssl_key_cert" "swisssign-cert" {
  partition    = "Common"
  key_name     = "ssign.key"
  key_content  = file("ssign/ssign.key.new")
  cert_name    = "ssign.crt"
  cert_content = file("ssign/ssign.crt.new")
#  cert_monitoring_type = "ocsp"
#  issuer_cert = bigip_ssl_certificate.swisssign-ca-bundle-new.full_path
#  cert_ocsp = bigip_sys_ocsp.swisssign-ocsp-new.name
}

Then the plan/apply are correct but the OCSP configuration on my BIGIP won't be changed (OCSP settings still present).
Consequent plans do detect it and we get continuously:

Terraform will perform the following actions:

  # bigip_ssl_key_cert.swisssign-cert will be updated in-place
  ~ resource "bigip_ssl_key_cert" "swisssign-cert" {
      - cert_monitoring_type = "ocsp" -> null
        id                   = "ssign.key_ssign.crt"
      - issuer_cert          = "/Common/FullChain-SwissSign_RSA_TLS_2022-1" -> null
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@pgouband
Copy link
Collaborator

Hi @amolari,

There is no default value for OCSP so not adding the parameter can be a revert to default value action.
If you want to set a different value you need to add the parameter in your declaration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Backlog issue will be tracked by JIRA in backlog enhancement
Projects
None yet
Milestone
v1.20.0
3 participants
@amolari @pgouband @RavinderReddyF5