This seems very familiar. It can be fixed permanently with a one-time effort.
During software upgrade, boolean value of
inherit-certkeychain
of your custom clientssl profiles may get tampered. Last time I upgraded, this bug only affected custom clientssl profiles where one or more settings were derived from another custom clientssl profile. In my experience, this bug has never affected custom clientssl profiles that only inherit settings from the system-default
clientssl
profile.
Fix:
- Take raw backup of current bigip.conf file:
cp /config/bigip.conf /var/tmp/bigip.conf.bak
- Open up
/config/bigip.conf
with vi or alternative, and search for inherit-certkeychain
keyword occurrences. For every custom clientssl profile that should use their own dedicated certificate/key pairs, replace configuration line that says inherit-certkeychain true
with inherit-certkeychain false
. (If the broken profile does not have inherit-certkeychain line in it's configuration, then add it yourself and make sure it's value is "false") - Save changes to /config/bigip.conf and load in new configuration to TMOS with
tmsh load sys config
.
Now you can implement changes to your clientssl profiles via GUI normally.
Note: This can be implemented on a live production system with no negative impact. But there's substantial risk of messing up configuration. Do your own due diligence during low activity hours with just 1 profile, or ideally test everything in a testing environment.
Regards,
Nimbostratus
