Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF2
Opened: Apr 12, 2016 Severity: 3-Major Related Article:
K16098
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3. The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Configuration fails to load. The system posts an error message that might appear similar to one of the following: -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed. -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
The issue occurs when all the below conditions are met. 1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3). 2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'. 3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
To workaround this situation, modify the configuration file before upgrading: 1. Check the config file /config/bigip.conf. 2. Identify the clientssl profile without a cert/key. For example, it might look similar to the following: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { "" { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example: ltm profile client-ssl /Common/cssl_no-cert-key2 { app-service none cert none cert-key-chain { default { } } chain none defaults-from /Common/clientssl inherit-certkeychain false key none passphrase none } 3. Remove the clientssl profile from /config/bigip.conf. 4. Run the command: tmsh load sys conf. 5. Re-create the clientssl profiles you need.
None