Symptoms

Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Impact

Configuration can not be loaded.

Conditions

This occurs when both of the following conditions are met: -- The system is loading config. -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example: cert-key-chain { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key rsa { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key } }

Workaround

Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again. Steps: 1. Open the configuration file in a text editor. 2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition). 3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example: cert-key-chain { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default rsa { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default } } 4. Save your changes, and then run the following command: tmsh load sys conf

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips