Bug ID 1110949: Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 17.0.0, 17.0.0.1, 17.0.0.2

Opened: May 30, 2022

Severity: 3-Major

Symptoms

Invalid config after iControl call: the certificate and key of the child profile do not change as expected.

Impact

1. The child profile has an incorrect configuration. 2. The older certificate/key can not be deleted as they are still in use in the child profile.

Conditions

1. The SSL profile should default from a parent profile. 2. iControl REST is used to change the certkeychain of the parent profile. 3. The issue cannot be seen after the first call but from the second call, it's always reproducible.

Workaround

Can use currently deprecated iControl call by using key and cert instead of certkeychain as follows: curl -k -u admin:admin -H "Content-Type: application/json" -X PATCH https://10.155.75.246/mgmt/tm/ltm/profile/client-ssl/parent.example.com -d '{"key":"/Common/default.key","cert":"/Common/default.crt"}'

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips