Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Opened: Jul 21, 2019 Severity: 3-Major
Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
Unable to upgrade the system with old configuration.
The issue occurs when all of the following conditions are met: -- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later). -- The configuration has a child client SSL profile that inherits from a parent client SSL profile. -- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.
You can workaround this issue using the following procedure: 1. Manually edit /config/bigip.conf to add the following lines: proxy-ca-cert /Common/rsa.crt proxy-ca-key /Common/rsa.key 2. Reload the configuration using the following command: tmsh load sys config Here is an example: ltm profile client-ssl /Common/child { app-service none cert /Common/default.crt cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } chain none defaults-from /Common/parent inherit-certkeychain true key /Common/default.key passphrase none proxy-ca-cert /Common/rsa.crt <===== add this line proxy-ca-key /Common/rsa.key <===== add this line }
None