Bug ID 464683: Upgrading fails when using config containing client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl, and on crt/key upgrade

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
10.2.4, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4

Fixed In:
11.6.0, 11.5.2, 11.5.1 HF5

Opened: May 28, 2014
Severity: 3-Major
Related AskF5 Article:
K15817

Symptoms

Upgrading from 11.2.1 or earlier fails when configurations contain client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl. Also, upgrading from 11.3.0 fails when the config load fails due to lack of an extension on the cert or key. Before 11.3.0, the system used not 'key test, without the suffix. After 11.3.0, the system uses the .crt and .key suffixes for certs and keys.

Impact

Upgrade fails.

Conditions

Occurs when upgrading from 11.2.1 or earlier (for the issue: client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl), and from 11.3.1, or earlier (for the issue: no .crt/.key suffixes on cert/key).

Workaround

The workaround is to reconfigure affected SSL profiles so that they inherit from the newer versions of the profiles, and to apply suffixes to the cert and key files.

Fix Information

Upgrade to 11.5.0 and later from 11.2.1/11.3.0 and earlier now works correctly in these cases: -- client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl. -- no .crt/.key suffixes on cert/key.

Behavior Change