Bug ID 747799: 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:

Fixed In:

Opened: Oct 24, 2018
Severity: 3-Major


During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file. This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example: ltm profile client-ssl /Common/cssl { app-service none cert none cert-key-chain { "" { } <=============== empty cert-key-chain defualt_rsa_ckc { <==== typo: 'defualt' cert /Common/default.crt key /Common/default.key } } key none } Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain. After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.


After upgrade, the configuration fails to load. The system posts an error message similar to the following: -- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.


The issue occurs when all the following conditions are met: -- You are using 11.5.4-HF2. -- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain). -- You upgrade to any software version later than 11.5.4-HF2.


You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure. To do so: 1. Replace 'cert none' with a cert name, such as /Common/default.crt. 2. Replace 'key none' with a key name, such as /Common/default.key. 3. Remove the entire line containing the following: "" { }. 4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea. The new profile should appear similar to the following: ltm profile client-ssl /Common/cssl { app-service none cert /Common/default.crt chain none cert-key-chain { default_rsa_ckc { cert /Common/default.crt key /Common/default.key } } key /Common/default.key }

Fix Information


Behavior Change