Bug ID 631316: Unable to load config with client-SSL profile error

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,

Fixed In:

Opened: Dec 01, 2016

Severity: 3-Major

Related Article: K62532020


Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'


Configuration can not be loaded.


This occurs when both of the following conditions are met: -- The system is loading config. -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example: cert-key-chain { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key rsa { cert /Common/default.crt <==== default cert chain /Common/chainCA.crt <==== non-empty key /Common/default.key <==== default key } }


Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again. Steps: 1. Open the configuration file in a text editor. 2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition). 3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example: cert-key-chain { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default rsa { cert /Common/kc.crt <==== changed to non-default chain /Common/chainCA.crt key /Common/kc.key <==== changed to non-default } } 4. Save your changes, and then run the following command: tmsh load sys conf

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips