Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP Install/Upgrade
Known Affected Versions:
10.2.4, 11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.6.2 HF1, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1
Fixed In:
11.6.0, 11.5.2, 11.5.1 HF5
Opened: May 28, 2014 Severity: 3-Major Related Article:
K15817
Upgrading from 11.2.1 or earlier fails when configurations contain client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl. Also, upgrading from 11.3.0 fails when the config load fails due to lack of an extension on the cert or key. Before 11.3.0, the system used not 'key test, without the suffix. After 11.3.0, the system uses the .crt and .key suffixes for certs and keys.
Upgrade fails.
Occurs when upgrading from 11.2.1 or earlier (for the issue: client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl), and from 11.3.1, or earlier (for the issue: no .crt/.key suffixes on cert/key).
The workaround is to reconfigure affected SSL profiles so that they inherit from the newer versions of the profiles, and to apply suffixes to the cert and key files.
Upgrade to 11.5.0 and later from 11.2.1/11.3.0 and earlier now works correctly in these cases: -- client-ssl profiles inherited from clientssl-insecure-compatible and wom-default-clientssl. -- no .crt/.key suffixes on cert/key.