Jump to content
Welcome to our new Citrix community!

Netscaler upgrade error

Recommended Posts

upgradin a VPX from 11.1 to 12.1, I get this:


Installation is starting ...
installns: [1588]: Installation is starting ...
installns: [1588]: detected  Version >= NS6.0
installns: [1588]: Installation path for kernel is /flash
ns.conf check skipped at user's request
installns: [1588]: ns.conf check skipped at user's request

installns: [1588]: Size of kernel ns-12.1-51.19.gz is 147114 kilobytes
installns: [1588]: Available space on /flash/ filesystem is 1312938 kilobytes
installns: [1588]: Available space on /var is 6069956 kilobytes
installns: [1588]: Checking directories ...
unable to load certificate
34374099944:error:0906D06C:PEM routines:PEM_read_bio:no start line:/home/build/rs_111_61_4_RTM/usr.src/crypto/openssl/crypto/pem/pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
openssl failed with exit code 256. please reach Citrix Support.


any clue what that is ?

I can;t see any problematic certificates, the /home folder is empty, there is no such file as "pem_lib.c" ...

Link to comment
Share on other sites

  • 5 months later...

After the initial failure, today i got the approval for another attempt at the upgrade.


What happened meanwhile:


1. the Netscalers, which were on VPX, got migrated to VMware. I achieved this by being lazy:

- deployed new 11.1 (same build) VPX boxes on VMWare

- broke the HA, shut down one node

- added as HA pair node one of the VMWare based NSs + sync'ed

- remove the remaining node on hyper-v, shutdown

- add the remaining VMWare node to the pair.

All customer services up, tests went fine.


2. i looked at the suggestion provided, and noticed that one of the pairs had all internal services (traffic management=>load balancing=>services=>internal services) down. No certificate bound to them (this was the secondary node at that moment). I checked the other (primary) node, and all the internal services were up with the "ns-server-certificate" bound to them.


Now comes the weird part: the secondary node did not even have the "ns-server-certificate" installed. It was present as a file, along with the key and the req, but not installed and also not installable (i ran "add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key" but it gives me "ERROR: Invalid private key, or PEM pass phrase required for this private key").

Next, i tried binding a server certificate that was present on the node. I picked one of the customer service cert and bound it to all internal services, and they went up. Tried the upgrade, same error as in the initial post. Then i noticed the certificate i bound was and old, expired one, so i replaced it with the current version. Same thing, same error.

As i did a failover, i noticed that now both nodes are running the internal services on the newly bound certificate.


Another thing i noticed while attempting to recreate "ns-server-certificate" as a self signed certificate was that it is being replicated from the primary to the secondary node.

Shouldn't this certificate be nominal to each box ?


Next i will try to get a proper CA certificate with a SAN for both hostnames og the nodes in the HA pair.  Hopefully this will make a difference.

Link to comment
Share on other sites

ok, something big is definitely broken.

Whenever i try to do any operations i getstuff like this:


root@Netscaler# openssl req -new -out obstructed.csr -newkey rsa:2048 -nodes -sha256 -keyout obstructed.temp-key -config req.conf
error on line -1 of req.conf
34374099944:error:02001002:system library:fopen:No such file or directory:/home/build/rs_111_61_4_RTM/usr.src/crypto/openssl/crypto/bio/bss_file.c:175:fopen('req.conf','rb')
34374099944:error:2006D080:BIO routines:BIO_new_file:no such file:/home/build/rs_111_61_4_RTM/usr.src/crypto/openssl/crypto/bio/bss_file.c:178:
34374099944:error:0E078072:configuration file routines:DEF_LOAD:no such file:/home/build/rs_111_61_4_RTM/usr.src/crypto/openssl/crypto/conf/conf_def.c:195:


root@Netscaler# openssl rsa -in ns-server.key -out new_ns-server.key
unable to load Private Key
34374099944:error:0906D06C:PEM routines:PEM_read_bio:no start line:/home/build/rs_111_61_4_RTM/usr.src/crypto/openssl/crypto/pem/pem_lib.c:696:Expecting: ANY PRIVATE KEY


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...