Bug ID 631316: Unable to load config with client-SSL profile error

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6, 12.1.3.2, 11.6.3.2

Opened: Dec 01, 2016
Severity: 3-Major
Related AskF5 Article:
K62532020

Symptoms

Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Impact

Configuration can not be loaded.

Conditions

This occurs when both of the following conditions are met: -- The system is loading config. -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example: cert-key-chain { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key rsa { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key } }

Workaround

Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again. Steps: 1. Open the configuration file in a text editor. 2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition). 3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example: cert-key-chain { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default rsa { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default } } 4. Save your changes, and then run the following command: tmsh load sys conf

Fix Information

None

Behavior Change