SSL certs reset to default on 12.1.3 with client profile change

Can you provide before and after screenshots, and the output of

tmsh list ltm profile client-ssl 

This looks like a known issue

Probably best to raise a support case and see if you can get a Engineering hotfix.

F5 has acknowledged that this is a known bug, but there is no patch yet.

VJ,

The above posted question is in reference to making change over GUI alone, right.

Correct. UI update. I added No TLS1 to a client cipher, saved and the ssl certs reset to default. Put my certs back and save and they stay there. Remove No TLS1, save, the cert chain resets again to default.

Thanks for the info. I recall something similar happening in older 11.x version too. I was updating the ciphers section using the custom checkbox enabled, updating the custom clientssl with the cipher & saving it. Post that noticed the certs changed too. I noticed the certs were changed to the 1st cert in the dropdown option of all certs present on the box.

In your case its going to default one, let me try that again and see what cert it got mapped too.

This seems very familiar. It can be fixed permanently with a one-time effort.

During software upgrade, boolean value of

inherit-certkeychain

clientssl

Fix:

1. Take raw backup of current bigip.conf file:

   cp /config/bigip.conf /var/tmp/bigip.conf.bak

2. Open up

   /config/bigip.conf

   with vi or alternative, and search for

   inherit-certkeychain

   keyword occurrences. For every custom clientssl profile that should use their own dedicated certificate/key pairs, replace configuration line that says

   inherit-certkeychain true

   with

   inherit-certkeychain false

   . (If the broken profile does not have inherit-certkeychain line in it's configuration, then add it yourself and make sure it's value is "false")
3. Save changes to /config/bigip.conf and load in new configuration to TMOS with

   tmsh load sys config

   .

Now you can implement changes to your clientssl profiles via GUI normally.

Note: This can be implemented on a live production system with no negative impact. But there's substantial risk of messing up configuration. Do your own due diligence during low activity hours with just 1 profile, or ideally test everything in a testing environment.

Regards,

Your call, but recommend to try a bit further before setting for an engineering hotfix. Personally, I'd only ever request engineering hotfixes for severe issues where user-side configuration adjustments do not suffice, i.e. memory leaks.

With ENG-HF, until the issue at hand is addressed in main release cycle, you will miss out on security updates and other bug fixes.

Regards,

yeah. it's not a huge issue for me. it's not like we're constantly changing our SSL profiles. just noticed it as we turned off tlsv1 & 1.1.

even if there was a hf, not sure if it's important enough for me to apply to all of our boxes

Hannes,

ID701626 is not related to an upgrade issue or to

inherit-certkeychain

If anyone does encounter this issue, please raise a support ticket.