Forum Discussion
Nimbostratus010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type.
When I reboot my VE LTM I get this error and no configuration is loaded.
Can anyone tell me what it means or how to fix it?
Thanks.
Bob
6 Replies
- Kevin_Stewart
Employee
Somehow or another you have two cert/key pairs (of the same cipher type) in a client SSL profile. Does the error message say which one? If so, you should be able to look at it from the command line:
tmsh list ltm profile client-ssl [profile name]And then modify it according:
tmsh modify ltm profile client-ssl [profile name] cert [cert name] key [key name] 
Bob_Z_148422When I try to list the client-ssl certificates I get a not found error. I assume this is because the configuration is not loaded (because it fails).
This is the client-ssl parts of the big-ip.config file.
Can anyone tell me whats wrong with it please?
Bob
ltm profile client-ssl /Common/Exchange-2013.app/Exchange-2013_clientssl { app-service /Common/Exchange-2013.app/Exchange-2013 cert /Common/my.crt cert-key-chain { my_my { app-service /Common/Exchange-2013.app/Exchange-2013 cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } defaults-from /Common/clientssl key /Common/my.key } ltm profile client-ssl /Common/clientssl { alert-timeout 10 allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-timeout 3600 cert /Common/my.crt cert-extension-includes { basic-constraints subject-alternative-name } cert-key-chain { my { cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain /Common/my.crt ciphers DEFAULT client-cert-ca none crl-file none generic-alert enabled handshake-timeout 10 key /Common/my.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore proxy-ca-cert none proxy-ca-key none proxy-ssl disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled ssl-forward-proxy-bypass disabled ssl-sign-hash any strict-resume disabled unclean-shutdown enabled } ltm profile client-ssl /Common/wts-gateway-client-ssl { app-service none cert-key-chain { my { cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } defaults-from /Common/clientssl inherit-certkeychain true }
- Bob_Z_148422
Formatted to make view easier hopefully.
ltm profile client-ssl /Common/Exchange-2013.app/Exchange-2013_clientssl { app-service /Common/Exchange-2013.app/Exchange-2013 cert /Common/my.crt cert-key-chain { my_my { app-service /Common/Exchange-2013.app/Exchange-2013 cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } defaults-from /Common/clientssl key /Common/my.key } ltm profile client-ssl /Common/clientssl { alert-timeout 10 allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-timeout 3600 cert /Common/my.crt cert-extension-includes { basic-constraints subject-alternative-name } cert-key-chain { my { cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain /Common/my.crt ciphers DEFAULT client-cert-ca none crl-file none generic-alert enabled handshake-timeout 10 key /Common/my.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore proxy-ca-cert none proxy-ca-key none proxy-ssl disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled ssl-forward-proxy-bypass disabled ssl-sign-hash any strict-resume disabled unclean-shutdown enabled } ltm profile client-ssl /Common/wts-gateway-client-ssl { app-service none cert-key-chain { my { cert /Common/my.crt chain /Common/my.crt key /Common/my.key } } defaults-from /Common/clientssl inherit-certkeychain true } - Kevin_Stewart
It's generally best practice to not alter the base clientssl profile, but other than that I don't see anything strikingly incorrect. At this point I would probably delete these clientssl profiles completely, get the box to come back online, and then recreate them.
Hi,
I had the same error.
In this case the cert /Common/my.crt have the same name that chain /Common/my.crt.
Normally this is not a problem. In fact, 11.5 onwards supports it. But in some circumstances the load config error appears.
To workaround this, I separated the certificate from the key and chain (no bundle), then I reconfigured the client SSL profile and after that, the configuration load worked.
E_297741I was very happy to find this thread we had a similar issue where the bigip.conf would not load. I edited the cert-key-chain section under
ltm profile client-ssl /Common/clientssl
to the below and then I was able to load the configuration file and to get the system back online
cert-key-chain { default { cert /Common/default.crt key /Common/default.key } }
