NSX ALB (Avi Networks) HTTP policy set removal

     As I wrote on some of my previous posts, Lets Encrypt automation of certs renewal inside NSX ALB (Avi) platform is very useful for Customer environments utilising large number of web oriented services, which needs to be on free HTTPS setup. These blogs about integration could be found here LINK-1 or LINK-2 for DNS based configurations.

    What I saw from some operational systems is that, occasionally, there is small piece left under HTTP policies (for HTTP-01 based challenges), in parent-child setups of virtual services, where HTTP policy is not removed properly from parent virtual service and that prohibits further renewal of certificate when it's needed. Typical removal of that piece is making troubles because it's associated to virtual service and system is not allowing that change.

    What's needed is to de-associate problematic HTTP policy set from virtual service and then it can be freely removed from system without any issue. This can be accomplished in 2 distinct ways - utilising Avi CLI or API call.

    First option is practically easy and could be accomplished by utilising next CLI commands inside Avi controller:

- connect to Avi controller using SSH and open Avi specific shell using "shell" (admin is preconfigured as user for this - or you can use something on your own, if needed);

- you can check problematic virtual service and all HTTP policies attached to it by using command "show virtual service <vs-name>";

- enter virtual service configuration mode "configure virtual service <vs-name>";

- de-associate problematic HTTP policy with command "no http_policies index <output received from previous command in brackets []";

- exit config mode "exit";

- list all HTTP policy sets "show http policyset";

- delete HTTP policy set using "delete httppolicyset <http-policy-set-name-from-previous-command>".

    Second option is useful by utilising API calls using some client (Postman or similar) and code like this in example:

{
"delete" : {
"http_policies": [{
"http_policy_set_ref": "/api/httppolicyset/<http-policy-uuid>",
          "index": 1000001 ###most probably this is going to be index number for LE script integration
- if not change accordingly###
}]
}
}

    Hope this helps for some of your future Lets Encrypt troubleshootings...




Comments

Popular posts from this blog

NSX ALB LetsEncrypt with DNS-01 challenge - BIND example

VMware SD WAN - multiple locations - LAN IP address space overlapping with NAT

NSX-T Layer 2 bridging - scenarios & use cases