Last Modified: Feb 11, 2025
Affected Product(s):
BIG_IP_NEXT(CM) TMOS
Known Affected Versions:
20.2.0, 20.2.1
Opened: May 28, 2024 Severity: 3-Major
An error occurs in LLM logs at at the Central Manager licensing screen during BIG-IP Next license activation. ...... error while getting Signed Ack. Response: <html> <head><title>400 The SSL certificate error</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The SSL certificate error</center> <hr><center>server</center> </body> </html> ...... ack verification task failed with Error: LICENSING-1120::<html> <head><title>400 The SSL certificate error</title></head> <body> </html>
Unable to perform License Activation on BIG-IP Next Instance from Central Manager.
- Central Manager - License Activation
For License Activation: Login to the CM Shell as admin and perform the below steps: ------------------------------------------------------------------- Step A: ------------------------------------------------------------------- Copy the Vault client certificate from the LLM pod to CM so that access to the Vault server is possible Execute the below commands to get the tls.key, tls.crt and ca.crt for performing operations on LLM objects. kubectl get secrets/mbiq-llm-vault-client-cert -o 'go-template={{index .data "tls.key"}}' | base64 -d > tls.key kubectl get secrets/mbiq-llm-vault-client-cert -o 'go-template={{index .data "tls.crt"}}' | base64 -d > tls.crt kubectl get secrets/mbiq-vault-cert -o 'go-template={{index .data "ca.crt"}}' | base64 -d > ca.crt ------------------------------------------------------------------- Step B: ------------------------------------------------------------------- Get the client token to perform operations on the LLM objects 1. Execute the below command to get the Vault IP kubectl get svc | grep mbiq-vault-active Example: $ kubectl get svc | grep mbiq-vault-active mbiq-vault-active ClusterIP 10.1.1.1 <none> 8200/TCP,8201/TCP 11h Note: If the IP is not available with "kubectl get svc | grep mbiq-vault-active" execute the below command to get the Vault IP kubectl get svc | grep mbiq-vault Use the IP for mbiq-vault from the above command result. Example: $ kubectl get svc | grep mbiq-vault mbiq-vault-internal ClusterIP None <none> 8200/TCP,8201/TCP 25d mbiq-vault ClusterIP 10.1.1.2 <none> 8200/TCP,8201/TCP 25d 2. Use the obtained IP from the above step to generate the client_token and this token has to be retrieved for every API call on LLM objects curl --insecure --request PUT --cacert ca.crt --cert tls.crt --key tls.key --data '{"name": "llm"}' https://<Vault IP>:8200/v1/auth/cert/login | jq '.auth.client_token' Example: $ curl --insecure --request PUT --cacert ca.crt --cert tls.crt --key tls.key --data '{"name": "llm"}' https://10.1.1.1:8200/v1/auth/cert/login | jq '.auth.client_token' Example client_token output: "hvs.CAESIABDIsdPQxrJzfCNqRhTzI4L2f26SOmjp1Wp2dKp2zIvGh4KHGh2cy5DWkRkbVpKVTRLNjZsWW1UejBDM1ZnN0I" ------------------------------------------------------------------- Step C: ------------------------------------------------------------------- Delete the LLM objects - certs, privateKey, digitalAssetID and certificateChain Execute the below commands to delete certs, privateKey, digitalAssetID, and certificateChain of llm pod Note: For each of the below command execution it should have a new client_token and use Step B-2 to generate the client_token. This is done as the client_token is valid only for a single operation. Fetch the client_token from B-2 curl --insecure --cacert ca.crt --header "X-Vault-Token: <client_token>" -X DELETE https://<Vault IP>:8200/v1/secret/llm/certs Fetch the client_token from B-2 curl --insecure --cacert ca.crt --header "X-Vault-Token: <client_token>" -X DELETE https://<Vault IP>:8200/v1/secret/llm/privateKey Fetch the client_token from B-2 curl --insecure --cacert ca.crt --header "X-Vault-Token: <client_token>" -X DELETE https://<Vault IP>:8200/v1/secret/llm/digitalAssetID Fetch the client_token from B-2 curl --insecure --cacert ca.crt --header "X-Vault-Token: <client_token>" -X DELETE https://<Vault IP>:8200/v1/secret/llm/certificateChain Example: curl --insecure --cacert ca.crt --header "X-Vault-Token: hvs.CAESIABDIsdPQxrJzfCNqRhTzI4L2f26SOmjp1Wp2dKp2zIvGh4KHGh2cy5DWkRkbVpKVTRLNjZsWW1UejBDM1ZnN0I" -X DELETE https://10.1.1.1:8200/v1/secret/llm/certs curl --insecure --cacert ca.crt --header "X-Vault-Token: hvs.CAESIFiHjXY4LNxlKoIyO1NfdGQBs-bK3Cpkh4SSc_k4u75eGh4KHGh2cy5uVGR5RFFLd2d6dGhEaVRZeEpvUFdTT1E" -X DELETE https://10.1.1.1:8200/v1/secret/llm/privateKey curl --insecure --cacert ca.crt --header "X-Vault-Token: hvs.CAESIJfIwIzEprlD5r589sK9YELSlhOuZtx-rpMx8sV-e6YvGh4KHGh2cy5vTFBzM0JYUlZkQzBlWE43bGQ4NG1uTXQ" -X DELETE https://10.1.1.1:8200/v1/secret/llm/digitalAssetID curl --insecure --cacert ca.crt --header "X-Vault-Token: hvs.CAESIOJj_40Zd2z3vyXzRBaRMS-A_o-GR8ottySpNn4SvStKGh4KHGh2cy5pZHBOY0djWVNGUnZwS3ZIdFpPTnZCaHk" -X DELETE https://10.1.1.1:8200/v1/secret/llm/certificateChain ------------------------------------------------------------------- Step D: ------------------------------------------------------------------- Restart the LLM pod Execute the below command to retrieve the POD details kubectl get pods | grep llm Restart the pod using the below command kubectl delete pod <pod name> Check the status of the LLM pod using the below command kubectl get pods | grep llm As the llm objects are cleared they will be recreated on pod restart with correct values. Example: $ kubectl get pods | grep llm mbiq-llm-84c56d748d-jn7jm 2/2 Running 0 29m $ kubectl delete pod mbiq-llm-84c56d748d-jn7jm pod "mbiq-llm-84c56d748d-jn7jm" deleted $ kubectl get pods | grep llm mbiq-llm-84c56d748d-5rdlz 0/2 PodInitializing 0 4s $ kubectl get pods | grep llm mbiq-llm-84c56d748d-5rdlz 2/2 Running 0 6s Once the pod is in a running state, from CM initiate the license operation(Activate/ Switch License) After the activation is successful delete the certificates from Step A rm -f tls.key tls.crt ca.crt
None