Bug ID 634407: Cert/key outside of cert-key-chain is changed to none after adding cert-key-chain into a clientSSL profile

Last Modified: Dec 07, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Opened: Dec 19, 2016

Severity: 3-Major

Symptoms

When there are multiple cert-key-chain configured in a clientSSL profile, the cert and key outside of the cert-key-chain block could become none, as shown below. ltm profile client-ssl ckc2 { app-service none cert none <================== none cert-key-chain { dsa1 { cert dsa1.crt key dsa1.key } rsa1 { cert default.crt key default.key } } chain none defaults-from clientssl inherit-certkeychain false key none <================== none passphrase none } The cert and key outside of the cert-key-chain block are supposed to be the same as in the RSA cert-key-chain. In the above example, the cert and key that display as "none" are supposed to be "default.crt" and "default.key" respectively.

Impact

The impact varies. When this kind of configuration is seen, it could lead to config sync failure, upgrade failure, incorrect validation error, or no impact.

Conditions

When there are multiple cert-key-chain configured in a clientSSL profile. For example, there could be one RSA cert-key-chain and one DSA cert-key-chain configured in a clientSSL profile.

Workaround

Edit /config/bigip.conf and change the cert and key from none to be the same as in the RSA cert-key-chain. And then do "tmsh load sys conf" ltm profile client-ssl ckc2 { app-service none cert default.crt <======= changed from none cert-key-chain { dsa1 { cert dsa1.crt key dsa1.key } rsa1 { cert default.crt key default.key } } chain none defaults-from clientssl inherit-certkeychain false key default.key <======= changed from none passphrase none }

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips