Jump to content


Photo

After upgrade to 11.1 All certificates have been lost and gateway config gone

Started by Justin Shay , 02 March 2017 - 03:42 PM
10 replies to this topic

Best Answer Justin Shay , 13 April 2017 - 03:54 PM

I am sorry it has taken me so long to respond to this thread.  I ended up going back to the old version and trying the upgrade again and that time it worked fine.

Justin Shay Members

Justin Shay
  • 35 posts

Posted 02 March 2017 - 03:42 PM

I have upgrade one of my netscalers in an HA cluster from 11.0-69.12 to 11.1 to 11.1-51.26 and all of my configuration for Netscaler gateway has been cleared.  When I went to re-add it in I noticed that all of the certs have been removed as well.  Has anyone else run into this before?  The cert are all there in the ssl folder but do not show up in the web console. 



Sam Jacobs CTP Member

Sam Jacobs
  • 6,733 posts

Posted 02 March 2017 - 04:02 PM

Yes, I have experienced this a few times. I don't know why sometimes an upgrade works fine, and sometimes the SSL certificate(s) get "lost". The fix is to copy the relevant lines from the ns.conf file, and simply copy and paste them via the CLI. Don't forget to save the config when done.



Paul Blitz Members

Paul Blitz
  • 3,857 posts

Posted 02 March 2017 - 05:46 PM

What license are you using?

 

If not a purchased one, then the SSL certkeys will disappear if the license has expired, and you reboot.



Justin Shay Members

Justin Shay
  • 35 posts

Posted 02 March 2017 - 06:59 PM

We are using a 200 license



Mark Hodges Members

Mark Hodges
  • 68 posts

Posted 16 March 2017 - 07:47 PM

this here is one of the stupid damn things I have every seen in a system and its bit me in the ass a few times.

I completely understand without a license the certs not working,etc but at no point should the pos software remove configurations or files..it should just mark them as invalid.

 

In the event something with license goes sitesways, i should be able to just fix the license issue, reboot and back in service.

As it is now, a screwup with licensing is a multi-hour fix....which is BS...



Carl Stalhood CTP Member

Carl Stalhood
  • 11,759 posts

Posted 17 March 2017 - 10:57 AM

You should be able to go to /nsconfig and find one of the ns.conf.# files that have the add sslCertKey commands. Rename the file to ns.conf, reboot, and everything should come back.

Johannes Norz Members

Johannes Norz
  • 566 posts

Posted 17 March 2017 - 11:27 AM

You should be able to go to /nsconfig and find one of the ns.conf.# files that have the add sslCertKey commands. Rename the file to ns.conf, reboot, and everything should come back.

Carl, this works fine, but it is far from best practices. The reason for this ns.conf.<netscalerversion> is: ns.conf syntax might change from version to version (I have seen this from 9.x to 9.x). If you do this, NetScaler might either not execute all the config file, or delete the config file as a hole and end up with no IP at all. You should at least replace "rename" with copy to "ns.conf" to make sure it won't get lost :P

 

The method, Sam mentioned, is better, but also unsupported (as editing the ns.conf file is unsupported for the reasons mentioned above). The only supported method is recreating the certificate from the existing certificate files (or executing the lines, Sam mentioned, which would be the same).



Srikanth Challa Citrix Employees

Srikanth Challa
  • 8 posts

Posted 20 March 2017 - 03:43 AM

As this is a cluster setup the steps used for upgrading the NetScaler needs to considered. There can be multiple reasons for config loss before looking into a possible bug condition on the upgraded NetScaler version. 

 

check this article for upgrade downgrade checklist for a cluster: http://docs.citrix.com/en-us/netscaler/11-1/clustering/cluster-upgrade-downgrade.html 

 

In order to check the config difference run the pre vs post upgrade option under Daignostics on NS GUI. Apply the difference batch file accordingly.



Paul Blitz Members

Paul Blitz
  • 3,857 posts

Posted 20 March 2017 - 11:08 AM

I think Justin is actually using High Availability (he called it "HA Cluster", and is using VPX 200 devices), so things shouldn't be as complex as Srikanth thinks!



Srikanth Challa Citrix Employees
  • #10

Srikanth Challa
  • 8 posts

Posted 20 March 2017 - 01:04 PM

My bad Paul, you seem to be correct. Even with HA setup first thing to check are the steps taken for upgrade. As of now I am not aware of any particular bugs related to NSG config loss for upgrade between 11.0 and 11.1. Analysis of the support logs will help understand the root cause. 



Justin Shay Members
  • #11

Justin Shay
  • 35 posts

Posted 13 April 2017 - 03:54 PM

I am sorry it has taken me so long to respond to this thread.  I ended up going back to the old version and trying the upgrade again and that time it worked fine.


Best Answer