Bug ID 1282757: On upgrade, systems might overwrite key due to automatic firmware updating

Last Modified: Feb 08, 2024

Affected Product(s):
F5OS Velos(all modules)

Fixed In:
F5OS-A 1.7.0, F5OS-A 1.5.0

Opened: Mar 31, 2023

Severity: 1-Blocking

Related Article: K000133379

Symptoms

When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Impact

The api-service-gateway container does not come up and there is no communication with the tenant.

Conditions

Upgrading to a new version where automatic firmware updates get started at boot-up.

Workaround

Docker exec -it system_manager bash /confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key" /confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix Information

The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips