Symptom
The user is unable to upgrade Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM). The upgrade fails due to expired HTTPS certificate.
upgrade failure logs shows
Aug 30 19:28:38 BRFW0001 SF-IMS[31110]: [31110] Cisco_FTD_SSP_FP2K_Upgrade-7.2.0-82:800_post/100_ftd_onbox_data_import.sh [ERROR] Fatal error: The chosen certificate has already expired. Please apply an unexpired certificate.
Aug 31 15:44:43 BRFW0001 SF-IMS[30044]: [30044] Cisco_FTD_SSP_FP2K_Upgrade-7.2.0-82:800_post/100_ftd_onbox_data_import.sh [ERROR] Fatal error: The chosen certificate has already expired. Please apply an unexpired certificate.
Conditions
FTD managed by FDM
FDM HTTPS cert expired
Workaround
Replace HTTPS certificate with the following steps:
https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-system.html#task_31B0F47D39444D6EB91A552A2B93B63E
[Steps below are documented assuming the Primary is Active, similar steps can be applied if the Secondary is active as well]
1. Replace the certificate on FDM of the Primary-Active
2. Failed over to make Secondary as active
3. Replace the certificate on FDM of the Secondary-Active
4. Failover to restore the original active
Further Problem Description
1. Since this is a certificate expiration issue, it can be carried to following versions if your base image or previous upgrades passed through one of the affected versions.
2. HTTPS cert cannot be installed using command line interface (CLI), make sure to follow the instructions for replacing using FDM GUI.
3. GUI would be accessible in normal usage, expired HTTPS cert in this defect prevents successful upgrades.
