Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
14.0.0
Opened: Jun 19, 2017 Severity: 3-Major
When upgrading the system, the clientssl profile /Common/crypto-server-default-clientssl might have contained a wrong structure, where it has two of RSA cert-key-chain and without cert and key outside of cert-key-chain block, and hence fails the validation during the upgrade. For example, below is the case of the wrong structure. ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert-key-chain { default { <========== the 1st RSA cert-key-chain cert /Common/default.crt key /Common/default.key } default_SHA2 { <========== the 2nd RSA cert-key-chain cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false renegotiate-period 21600 }
Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."
1. The system is being upgraded from a version that is greater than or equal to 11.6.0, where the clientSSL profile /Common/crypto-server-default-clientssl was introduced. 2. The user has customized configuration on the clientSSL profile /Common/crypto-server-default-clientssl, i.e., /Common/crypto-server-default-clientssl appears in the /config/bigip.conf file.
The workaround is to remove the additional default certkeychain and manually add "cert xxxxxxxx" and "key xxxxxxxxx". In particular, modify /config/bigip.conf and change the profile to ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert /Common/default_SHA2.crt <======== add this cert-key-chain { default_SHA2 { <=========== leave only one RSA certkeychin here cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false key /Common/default_SHA2.key <========= add this renegotiate-period 21600 } and then do "tmsh load sys conf" again.
None