Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
11.5.3, 11.5.2, 11.5.1
Fixed In:
11.6.0, 11.5.4
Opened: Mar 24, 2014 Severity: 3-Major Related Article:
K11140613
The system does not prevent creation of a clientssl profile with no cert-key-chain name and no cert/key (or a cert/key of 'default'), and does not post an error alerting the user to the condition. The system creates the profile without error. This can cause issues when upgrading.
The system incorrectly allows a blank cert-key-chain name and an empty cert/key in clientssl profiles. When upgrading such a profile to versions 11.5.4, 11.6.0, 12.0.0, or later, the configuration fails to load with a message similar to the following: -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed. -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
This occurs when attempting to create a clientssl profile without a cert-key-chain name or cert/key, or a cert/key of 'default'. Note: The system should prevent this, but does not do so in versions 11.5.1, 11.5.2, or 11.5.3.
Use the following steps to work around this issue: -- To correct the configuration, run the following command: sed -ie '/"" { }/d' /config/bigip.conf. -- To load the modified configuration, run the following command: tmsh load sys config. Note: To determine whether profiles are affected, run the following command: grep '"" { }' /config/bigip.conf -A2 -B1. On affected profiles, the system returns the following output: cert-key-chain { "" { }.
The system now presents an error message when attempting to create a clientssl profile without a cert-key-chain name and a cert/key (or a cert/key of 'default'), and prevents the creation of the profile, so potential upgrade failures no longer occur.