Bug ID 669917: Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
14.0.0

Opened: Jun 19, 2017

Severity: 3-Major

Symptoms

When upgrading the system, the clientssl profile /Common/crypto-server-default-clientssl might have contained a wrong structure, where it has two of RSA cert-key-chain and without cert and key outside of cert-key-chain block, and hence fails the validation during the upgrade. For example, below is the case of the wrong structure. ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert-key-chain { default { <========== the 1st RSA cert-key-chain cert /Common/default.crt key /Common/default.key } default_SHA2 { <========== the 2nd RSA cert-key-chain cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false renegotiate-period 21600 }

Impact

Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."

Conditions

1. The system is being upgraded from a version that is greater than or equal to 11.6.0, where the clientSSL profile /Common/crypto-server-default-clientssl was introduced. 2. The user has customized configuration on the clientSSL profile /Common/crypto-server-default-clientssl, i.e., /Common/crypto-server-default-clientssl appears in the /config/bigip.conf file.

Workaround

The workaround is to remove the additional default certkeychain and manually add "cert xxxxxxxx" and "key xxxxxxxxx". In particular, modify /config/bigip.conf and change the profile to ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert /Common/default_SHA2.crt <======== add this cert-key-chain { default_SHA2 { <=========== leave only one RSA certkeychin here cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false key /Common/default_SHA2.key <========= add this renegotiate-period 21600 } and then do "tmsh load sys conf" again.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips