Upgrade to 30.2.5 failed due to configuration migration issues.
search cancel

Upgrade to 30.2.5 failed due to configuration migration issues.

book

Article ID: 415266

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • Upgrade to 30.2.5 can be unsuccessful due configuration migration failures.
  • The upgrade transcripts will show errors similar to:
    • Certificate with Invalid SAN values:
      "UC::Migration failed for object of type SSLKeyAndCertificate, with uuid sslkeyandcertificate-xxxxxx-xxxxxx at function upgrade_SSLKeyAndCertificate for version 30.2.5 with exception: (\"Invalid SAN values found for certificate: ['test123', 'test789'].\",) ::UC"
    • Certificate with Duplicate SAN values:
      "UC::Migration failed for object of type SSLKeyAndCertificate, with uuid sslkeyandcertificate-xxxxxx-xxxxxx at function upgrade_SSLKeyAndCertificate for version 30.2.5 with exception: (\"Duplicate SAN values found for certificate: ['DNS:foo.org'].\",) ::UC"
    • Certificate with Invalid and Duplicate SAN values:
      "UC::Migration failed for object of type SSLKeyAndCertificate, with uuid sslkeyandcertificate-xxxxxx-xxxxxx at function upgrade_SSLKeyAndCertificate for version 30.2.5 with exception: (\"Invalid SAN values found for certificate: ['test1234'].Duplicate SAN values found for certificate: ['DNS:foo.bar'].\",) ::UC"

Environment

  • Upgrade to version 30.2.5 from any version.

Cause

  • Earlier versions prior to 30.2.5 had no strict validation for SAN values.
  • During upgrade to 30.2.x versions, outages can occur for certificates with invalid wildcard FQDNs.
  • Renewal may also fail for certificates containing SAN entries that do not comply with RFC 5280, such as those with underscores or unicode characters in FQDNs.
  • To address this, strict RFC 5280 compliance validation was introduced.
  • However, this change caused upgrade failures for certificates containing short names or duplicate SAN entries which were commonly used by customers for certificates signed by private CAs for internal consumption.

 

 

Resolution

  • A fix will be provided in the upcoming patch, 30.2.5-2p1, for the releases with this known issue.
  • The fix will relax SAN validation to allow short names and duplicate entries in SAN fields.
  • The recommendation is to upgrade to 30.2.5 and apply the 30.2.5-2p1 patch in the SAME step.
  • To perform the upgrade and patch in the same step, please follow the steps below:
    • Upload the 30.2.5 Image AND the 30.2.5-2p1 patch to the controller.
    • Navigate to Administration>System Update.
    • Select both the image and patch and then click on Upgrade as shown in the screenshot below.
    • This will apply the base image and the patch in the same step.
  • Release Notes: 30.2.5 Release Notes.
  • Bug ID: AV-254455
  • Fix Versions: 30.2.5-2p1

Additional Information

  • This sanity check has been added to avoid datapath issues as reported in: AV-233616.
  • Known Issues on 30.2.2, documenting the impact of invalid SAN values on VSs.
Powered by Wolken Software