Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ ADC
Known Affected Versions:
7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9, 8.0.0.1, 8.1.0, 8.1.0.1, 8.1.0.2
Opened: Jun 26, 2021 Severity: 3-Major
Trying to renew certificates signed by Let's Encrypt/Venafi from the GUI or API of BIG-IQ does not work. No error is returned in the BIG-IQ GUI, but a error is logged.
Renewal fails with the following error in the logs: [/cm/adc-core/external-ca/lets-encrypt/csr-request/<uuid>/worker LetsEncryptCertRequestTaskWorker] Error occurred while deleting key state with exception : /Common/<key name>.key is in use by Profile Client SSL '/Common/<profile name>'.
- The CSR was signed by Venafi or Let's Encrypt. - The certificate and key are used by a profile or pinned to a managed BIG-IP device. - You are trying to manually (or automatically) renew the certificate.
1- Un-pin the certificate and key from all BIG-IP devices that use it. 2- Change your SSL Profile configuration on BIG-IQ, and use a different cert/key pair. Do not deploy these changes to your BIG-IP. 3- Manually renew the certificate. 4- Revert changes done in step #1 and #2. 5- Deploy changes to the BIG-IP.
None