Symptoms

When upgrading the system, the clientssl profile /Common/crypto-server-default-clientssl might have contained a wrong structure, where it has two of RSA cert-key-chain and without cert and key outside of cert-key-chain block, and hence fails the validation during the upgrade. For example, below is the case of the wrong structure. ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert-key-chain { default { <========== the 1st RSA cert-key-chain cert /Common/default.crt key /Common/default.key } default_SHA2 { <========== the 2nd RSA cert-key-chain cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false renegotiate-period 21600 }

Impact

Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."

Conditions

1. The system is being upgraded from a version that is greater than or equal to 11.6.0, where the clientSSL profile /Common/crypto-server-default-clientssl was introduced. 2. The user has customized configuration on the clientSSL profile /Common/crypto-server-default-clientssl, i.e., /Common/crypto-server-default-clientssl appears in the /config/bigip.conf file.

Workaround

The workaround is to remove the additional default certkeychain and manually add "cert xxxxxxxx" and "key xxxxxxxxx". In particular, modify /config/bigip.conf and change the profile to ltm profile client-ssl /Common/crypto-server-default-clientssl { app-service none cache-size 0 cert /Common/default_SHA2.crt <======== add this cert-key-chain { default_SHA2 { <=========== leave only one RSA certkeychin here cert /Common/default_SHA2.crt key /Common/default_SHA2.key } } ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from /Common/clientssl inherit-certkeychain false key /Common/default_SHA2.key <========= add this renegotiate-period 21600 } and then do "tmsh load sys conf" again.

Fix Information

None

Behavior Change