Bug ID 807837: Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Last Modified: Aug 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0, 15.0.1

Opened: Jul 21, 2019
Severity: 3-Major

Symptoms

Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Impact

Unable to upgrade the system with old configuration.

Conditions

The issue occurs when all of the following conditions are met: -- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later). -- The configuration has a child client SSL profile that inherits from a parent client SSL profile. -- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.

Workaround

You can workaround this issue using the following procedure: 1. Manually edit /config/bigip.conf to add the following lines: proxy-ca-cert /Common/rsa.crt proxy-ca-key /Common/rsa.key 2. Reload the configuration using the following command: tmsh load sys config Here is an example: ltm profile client-ssl /Common/child { app-service none cert /Common/default.crt cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } chain none defaults-from /Common/parent inherit-certkeychain true key /Common/default.key passphrase none proxy-ca-cert /Common/rsa.crt <===== add this line proxy-ca-key /Common/rsa.key <===== add this line }

Fix Information

None

Behavior Change