Bug ID 1029321: Renewal of certificates provided by Venafi or Let's Encrypt fails if the certificate is used in a profile

Last Modified: May 29, 2024

Affected Product(s):
BIG-IQ ADC(all modules)

Known Affected Versions:
7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9, 8.0.0.1, 8.1.0, 8.1.0.1, 8.1.0.2

Opened: Jun 26, 2021

Severity: 3-Major

Symptoms

Trying to renew certificates signed by Let's Encrypt/Venafi from the GUI or API of BIG-IQ does not work. No error is returned in the BIG-IQ GUI, but a error is logged.

Impact

Renewal fails with the following error in the logs: [/cm/adc-core/external-ca/lets-encrypt/csr-request/<uuid>/worker LetsEncryptCertRequestTaskWorker] Error occurred while deleting key state with exception : /Common/<key name>.key is in use by Profile Client SSL '/Common/<profile name>'.

Conditions

- The CSR was signed by Venafi or Let's Encrypt. - The certificate and key are used by a profile or pinned to a managed BIG-IP device. - You are trying to manually (or automatically) renew the certificate.

Workaround

1- Un-pin the certificate and key from all BIG-IP devices that use it. 2- Change your SSL Profile configuration on BIG-IQ, and use a different cert/key pair. Do not deploy these changes to your BIG-IP. 3- Manually renew the certificate. 4- Revert changes done in step #1 and #2. 5- Deploy changes to the BIG-IP.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips