Bug ID 741599: After upgrade, Client SSL profile may have extra cert-key-chain structure

Last Modified: Sep 19, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.0.0.5

Opened: Aug 24, 2018
Severity: 3-Major

Symptoms

Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.x. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade. The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.

Impact

Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.

Conditions

-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly). -- The 'clientssl' built-in profile, if that profile has been modified via the GUI. -- Upgrade from pre-v14.0.0 versions to v14.0.x.

Workaround

There are two parts to this workaround: one to complete before upgrading and one after. Before Upgrade: Use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'. After Upgrade: Perform the following procedure for SSL profiles that are not configured for SSL forward proxy: 1. Delete the extra cert-key-chain objects by doing either a) or b): a) Manually edit the /config/bigip.conf configuration file with a text editor, remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles, and save the config b) Assuming no Forward Proxy is in use, run the following command, and then save the config. tmsh modify ltm profile client-SSL all cert-key-chain delete { CA_default } 3. Reload the configuration: tmsh load sys config 4. Check that the config loads correctly and there are no more CA objects: tmsh list ltm profile client-SSL all cert-key-chain | grep CA_default

Fix Information

The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.

Behavior Change