During an Ignition 8.x to 9.x PKG upgrade the default MD5-signed certificates were kept for backwards compatibility while introducing a new set of SHA256-signed certificates for 9.x releases. The co-existence of these default certificate pairs can lead to various system failures, primarily in HA deployments.
RESOLUTION 1 - REBUILD Configuration
Deploy a fresh 9.x-based Ignition OVA.
Rebuild the entire configuration.
Recommended for small configurations with minimal authenticators and policy definitions.
New permanent licensing is required.
RESOLUTION 2 - PATCH Configuration
Save a backup of your Ignition Server configuration.
Generate a trouble ticket from Ignition Dashboard.
Recommended for large or complex configurations with multiple authentications and policy definitions.
Manual patching requires modification of an existing configuration. The response is best-effort, generally within two to three business days, excluding weekends. Any configuration changes made after the time of configuration backup (step 1) will need to be redone following restoration of the patched configuration.
A maintenance window to restore the configuration is required with Extreme GTAC support.
HA configurations will need to be temporarily broken and restored to complete this operation.
Sample display of Certificates via Dashboard suggesting issue is present: