Bug ID 649315: OCSP stapling profile upgrade can fail when the original cert-key-chain's chain is incorrect ; Display OCSP configuration change as warning message on the screen during upgrade

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Mar 06, 2017

Severity: 4-Minor

Related Article: K48359203

Symptoms

Issue 1 (upgrade failure): Upgrade failure with below error message -- emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01071bb2:3: The issuer certificate (/Common/default.crt) does not match the certificate (/Common/rsa-valid.crt). Unexpected Error: Loading configuration process failed. Issue 2 (message not prompted): Beginning in v13.0.0, there is a configuration change that occurs on migration on OCSP stapling. The migration is gracefully handled during upgrade.

Impact

Issue 1 (upgrade failure): Unable to upgrade to a version (for example 13.0.0). Issue 2 (message not prompted): There are no warning messages, so you might not notice the configuration change during upgrade, which might lead to confusion.

Conditions

-- Upgrading from older version (earlier than 13.0.0) to newer version (version 13.0.0 or later). -- There exists a client SSL profile with OCSP stapling enabled. -- The cert-key-chain's chain of the clientSSL profile is incorrect, i.e., it does not contain issuer cert of the cert-key-chain's cert. -- The cert-key-chain's cert file does not contain its own issuer cert either. In other words, the system is unable to find the issuer cert from the configured chain or cert.

Workaround

Issue 1 (upgrade failure): When the upgrade failure is seen, it means that the cert-key-chain's chain is in fact not an issuer of the cert, and the system cannot find the cert's issuer from the cert file itself either. The following example shows this issue: ltm profile client-ssl /Common/my_cssl6 { app-service none cert /Common/rsa-valid.crt cert-key-chain { rsa-valid_default { cert /Common/rsa-valid.crt chain /Common/default.crt <== the chain doesn't form any relation with the cert rsa-valid.crt key /Common/rsa-valid.key ocsp-stapling-params /Common/my_ocsp_stpl4 } } chain /Common/default.crt <== the chain doesn't form any relation with the cert rsa-valid.crt defaults-from /Common/clientssl inherit-certkeychain false key /Common/rsa-valid.key passphrase none } There are 2 ways to workaround this: (Workaround 1) modify /config/bigip.conf, and replace the invalid chain with another cert file, for example, /Common/valid-issuer.crt, which is a valid issuer of the cert, as shown in the following example: Step 1: In /config/bigip.conf, adjust the configuration as follows: ltm profile client-ssl /Common/my_cssl6 { app-service none cert /Common/rsa-valid.crt cert-key-chain { rsa-valid_default { cert /Common/rsa-valid.crt chain /Common/default.crt <== change to /Common/valid-issuer.crt key /Common/rsa-valid.key ocsp-stapling-params /Common/my_ocsp_stpl4 <== keep this line } } chain /Common/default.crt <== change to /Common/valid-issuer.crt defaults-from /Common/clientssl inherit-certkeychain false key /Common/rsa-valid.key passphrase none } Step 2: Reload the config using the following command: tmsh load sys conf Now the configuration should load successfully. (Workaround 2) Note that (Workaround 1) requires the existence of /Common/valid_issuer.crt in the system. If there is not one, you can remove the ocsp-stapling-params and chain to unblock the load failure. Then re-configure the OCSP settings for the cert and the clientSSL profile manually. Here is an example: Step 1: In /config/bigip.conf, adjust the configuration as follows: ltm profile client-ssl /Common/my_cssl6 { app-service none cert /Common/rsa-valid.crt cert-key-chain { rsa-valid_default { cert /Common/rsa-valid.crt chain /Common/default.crt <=== change to none key /Common/rsa-valid.key ocsp-stapling-params /Common/my_ocsp_stpl4 <=== remove this line } } chain /Common/default.crt <=== change to none defaults-from /Common/clientssl inherit-certkeychain false key /Common/rsa-valid.key passphrase none } Step 2: Reload the config using the following command: tmsh load sys conf Now the configuration should load successfully. Step 3: Manually re-configure OCSP for the cert and clientSSL profile using the following tmsh commands. (Note: You can find GUI instruction at K75106155: Configuring OCSP stapling :: https://support.f5.com/csp/article/K75106155.) tmsh install sys crypto cert valid-issuer from-local-file ~file-path-to-the-issuer-cert-file~ tmsh modify sys crypto cert rsa-valid.crt issuer-cert valid-issuer.crt cert-validators add { my_ocsp_stpl4 } cert-validation-options { ocsp } tmsh modify ltm profile client-ssl my_cssl6 ocsp-stapling enabled Issue 2 (message not prompted): This is a cosmetic error. No workaround is needed.

Fix Information

Issue 1 (upgrade failure): Instead of the upgrade failure, you will see the following warning messages, indicating that the system cannot find the issuer from the chain and the cert itself, so no OCSP profile will be assigned to this certificate during upgrade. You must first address the configuration problem mentioned in the message, and then manually add the OCSP cert-validator to the cert, if needed. Upgrading ClientSSL (/Common/my_cssl6) CertKeyChain (/Common/rsa-valid.crt): OCSP stapling is changed to disabled during upgrade - the certificate chain (/Common/default.crt) is configured but is not a valid issuer of the certificate (/Common/rsa-valid.crt). Please configure a valid issuer for the certificate or make sure that the certificate file contains its own issuer certificate. Issue 2 (message not prompted): Instead of messages only in ltm.log, the system now displays the configuration changes as warning message during upgrade. These messages appear similar to the following -- warning mcpd[6094]: 0107185a:4: Warning generated, for version 13.1.0 or greater : Setting strict-responder-certificate-check to true in OCSP object (/Common/ocsp1) as its default value is changed to true. -- warning mcpd[6094]: 01071859:4: Warning generated : Upgrading OCSP certificate validator (/Common/ocsp_https): Deprecating the OSCP certificate validator because its responder URL (https://responder.url) is not HTTP-based. -- notice mcpd[6094]: 01071bb6:5: Upgrading ClientSSL (/Common/cssl1) CertKeyChain (/Common/server_1.crt): successfully attached OCSP configuration (/Common/ocsp1) to the certificate (/Common/server_1.crt), and enabled OCSP stapling. -- warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl2) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - the certificate chain (/Common/c3d_ca.crt) is configured but is not a valid issuer of the certificate (/Common/server_2.crt). Please configure a valid issuer for the certificate or make sure that the certificate file contains its own issuer certificate. -- warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl3) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade because the OCSP validator (/Common/ocsp_https) has been deprecated during upgrade. Please check previous warning messages or ltm logs for the deprecation reason. -- mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl4) CertKeyChain (/Common/server_1.crt): the clientSSL profile is now using /Common/ocsp1 for OCSP stapling instead of using /Common/ocsp3 because the certificate (/Common/server_1.crt) has been successfully associated with OCSP validator (/Common/ocsp1) during upgrade. -- warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl5) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - unable to find an HTTP-based OCSP responder's URL in the AIA (Authority Information Access) extension of the certificate (/Common/server_2.crt) or the configuration of the OCSP validator (/Common/ocsp3).

Behavior Change

Instead of messages only in ltm.log, the system now displays the configuration changes as warning message during upgrade. These messages appear similar to the following warning mcpd[6094]: 0107185a:4: Warning generated, for version 13.1.0 or greater : Setting strict-responder-certificate-check to true in OCSP object (/Common/ocsp1) as its default value is changed to true. warning mcpd[6094]: 01071859:4: Warning generated : Upgrading OCSP certificate validator (/Common/ocsp_https): Deprecating the OSCP certificate validator because its responder URL (https://responder.url) is not HTTP-based. notice mcpd[6094]: 01071bb6:5: Upgrading ClientSSL (/Common/cssl1) CertKeyChain (/Common/server_1.crt): successfully attached OCSP configuration (/Common/ocsp1) to the certificate (/Common/server_1.crt), and enabled OCSP stapling. warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl2) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - the certificate chain (/Common/c3d_ca.crt) is configured but is not a valid issuer of the certificate (/Common/server_2.crt). Please configure a valid issuer for the certificate or make sure that the certificate file contains its own issuer certificate. warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl3) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade because the OCSP validator (/Common/ocsp_https) has been deprecated during upgrade. Please check previous warning messages or ltm logs for the deprecation reason. mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl4) CertKeyChain (/Common/server_1.crt): the clientSSL profile is now using /Common/ocsp1 for OCSP stapling instead of using /Common/ocsp3 because the certificate (/Common/server_1.crt) has been successfully associated with OCSP validator (/Common/ocsp1) during upgrade. warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl5) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - unable to find an HTTP-based OCSP responder's URL in the AIA (Authority Information Access) extension of the certificate (/Common/server_2.crt) or the configuration of the OCSP validator (/Common/ocsp3).

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips