Issue
Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1].
However, with this new feature you are cannot associate multiple certificate/key pairs of the same type within profile. If certificate/key pairs of the same type are assigned to the same SSL Profile this will result in the F5 being unable to load the configuration, and the following error message being returned,
Client SSL profile cannot contain more than one set of same certificate/key type
Solution
To resolve the issue remove the additionally cert/key pair from the SSL Profile, like so,
ltm profile client-ssl /Common/fir3net.com-2016 { app-service none cert-key-chain { - default { - cert /Common/default.crt - key /Common/default.key - } fir3net.com-certkey { cert /Common/fir3net.com-2016.crt chain /Common/VeriSignClass3-InternationalServerCA-G3.crt key /Common/fir3net.com-2016.key } } defaults-from /Common/clientssl }
To validate the configuration against this issue the following command can be used, from with TMSH. This is recommended prior to performing any upgrades from v11.5.x.
load sys config verify
References
[1] https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an F5 Loadbalancers expert?
Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial