Bug ID 807837: Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,

Opened: Jul 21, 2019
Severity: 3-Major


Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.


Unable to upgrade the system with old configuration.


The issue occurs when all of the following conditions are met: -- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later). -- The configuration has a child client SSL profile that inherits from a parent client SSL profile. -- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.


You can workaround this issue using the following procedure: 1. Manually edit /config/bigip.conf to add the following lines: proxy-ca-cert /Common/rsa.crt proxy-ca-key /Common/rsa.key 2. Reload the configuration using the following command: tmsh load sys config Here is an example: ltm profile client-ssl /Common/child { app-service none cert /Common/default.crt cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } chain none defaults-from /Common/parent inherit-certkeychain true key /Common/default.key passphrase none proxy-ca-cert /Common/rsa.crt <===== add this line proxy-ca-key /Common/rsa.key <===== add this line }

Fix Information


Behavior Change