Re: CSCwd11825 - FDM upgrade failure due to HTTPS cert expired

Jared Pickerell USD 111 · ‎02-19-2025

This same issue affects my FPR-2110 attempting to upgrade from 7.0.1-84 to 7.0.7-519 or to 7.2.7.500. The system always reboots in a rolled back state without the upgrade having completed.

As the work-around seems to suggest creating a new cert, any time I attempt to create and add a new internal self-signed certificate through the "Management Web Server" interface, it appears to create OK as I refresh the browser and the newly created cert is used. But, there is now a new deployment job showing that this certificate needs to be deployed. Attempting to deploy the job always fails. You cannot upgrade the Firepower while there are undeployed jobs. So, I'm stuck in a loop.

Looks like I am going to have to re-open my ticket from last July and get some help from Cisco!

jenny464din · ‎02-19-2025

Hello,

It sounds incredibly frustrating to be stuck in this upgrade loop with your FPR-2110! It's especially concerning that the workaround of creating a new certificate is creating more problems with the undeployable job. Since you've already had a ticket open with Cisco, reopening it is definitely the right move. Here's a breakdown of why and what you should emphasize when you contact them again:

The Core Issue: The failed upgrades and constant rollbacks point to a deeper problem than just the certificate. It could be a bug in the upgrade process, a compatibility issue, or even a problem with the device's storage.
The Certificate Complication: The fact that you can create the certificate but can't deploy it suggests a problem with the Firepower's management interface or its ability to process deployment jobs. This might be related to the underlying upgrade issue.
The Upgrade Block: The undeployed job is effectively blocking any further attempts to upgrade, creating a catch-22 situation.
Smart Square HMH Com

Mark Ftc · ‎03-06-2025

I believe I ran into this exact same scenario maybe 6mo ago. I'm trying to remember how I went about resolving it - I don't have a perfect memory on how I did it, but here is what I remember:

1: I was running FPR-FDM in an HA pair. When I tried to upgrade the secondary-standby unit first, it would go into its reboot and when it came back up, the upgrade failed and the code version was reverted back to the original starting version.

2: I logged into the secondary-standby FPR via SSH and moved into 'expert' mode. Navigated to /var/log/sf/<CODE-VERSION> and ran the 'tail -f status.log' command to see the upgrade logs. The last couple of logs indicated the management web certificate needed to be renewed. I don't recall the specific message, but it pointed me in that direction.

3: Like you, I generated a new self-signed certificate and applied that to the management interface. However I believe the trick was I had to do this process (generate a new self-signed cert) on BOTH the primary and secondary FPR node (I'm not 100% certain you are running HA). Just doing this on the primary node will not cut it (if I recall correctly). I do not recall if I had to break HA or pause HA to do this - I don't think I did.

I'm not sure about your deploy failure, I would need more context/logs.