Bug ID 534111: [SSL] Config sync problems when modifying cert in default client-ssl profile

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0, 11.6.1 HF1, 11.5.4 HF2

Opened: Jul 17, 2015
Severity: 3-Major
Related AskF5 Article:
K75309122

Symptoms

Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.

Impact

After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.

Conditions

Modify cert in default client-ssl profile and perform a config sync operation.

Workaround

1. Remove client-ssl definitions from bigip.conf on each unit. 2. Reload the config. 3. Synchronize the config.

Fix Information

The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.

Behavior Change