Forum Discussion
- Mark_Worrell_98Historic F5 AccountHi -
- Raghu_Nair_7463NimbostratusI am designing automation program for Cert Renewal for BIG-IP 9.x version onwards using the iControl API.
- Raghu_Nair_7463NimbostratusSo I need to make a working solution for all versions which support iControl API ( 9.x onwards).
- Jonathan_ScholiCirrostratusMost of the functions listed here will work for 9.x on: http://devcentral.f5.com/wiki/iControl.LocalLB__ProfileClientSSL.ashx
- mhite_60883CirrocumulusWe've found that you can't just replace the file and expect the existing Profile tied to the file to notice. Had to forcefully do a config reload from the CLI if memory serves me correct. Probably the best approach is to create a new profile with the new certificate and just flip the VIP over to new profile. Optionally delete old profile and cert...
- Raghu_Nair_7463NimbostratusI wonder what Admin screen does or what API it invokes (Local Traffic -> Profiles -> SSL- Client) when clicking update button.
- Raghu_Nair_7463NimbostratusI found one more solution to it but this requires ssh login to the box. using the following command "bigpipe load" with users permission as the user may loose session data while doing this.
- hooleylistCirrostratusYou can click update on each SSL profile which references the updated cert/key files. This will not have any affect on live traffic like reloading the full configuration would.
- Jason_AdamsEmployee
I was just searching for a solution to this behavior, and this is one of the first links that came up...so I thought I would drop by and post the official Solution Article on this:
SOL13345: The BIG-IP system may incorrectly associate a newly- imported SSL certificate/key pair to other SSL profiles
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13345.html?sr=35294954
Workaround
For a BIG-IP system that has already encountered this issue, you can recover the BIG-IP system by reloading the configuration or updating the SSL profiles. To do so, perform any of the following procedures:
Reloading the configuration
Updating SSL profiles
Reloading the configurationImpact of workaround: Traffic processing is briefly interrupted while the configuration reloads.
Log in to the Traffic Management Shell (tmsh) by entering the following command:
tmsh
Note: If you are currently logged in to the tmsh shell, you can skip this step.
Reload the BIG-IP configuration by typing the following command:
Updating SSL profilesload /sys config
Impact of Workaround: None.
Log in to the BIG-IP Configuration utility. Navigate to Local Traffic > Profiles > SSL > Client or Server, depending on the affected SSL profiles. Click the name of the affected SSL profile. Click Update. Repeat Steps 2 through 4 for the remaining affected SSL profiles.
FIXED IN
Type of Fix - Versions Fixed - Related Articles Release - 11.2.0 - SOL2200: Most recent versions of F5 software Hotfix - 11.1.0 HF2 - SOL9502: BIG-IP hotfix matrix