Forum Discussion
Tuomas_Jormola_
Nimbostratus
NimbostratusChanging certificates and keys of an SSL profile with LocalLB ProfileClientSSL set_certificate_file, set_key_file
Hello,
I'd like to use LocalLB::ProfileClientSSL::set_certificate_file/set_key_file methods to change the certificate and key assigned to an SSL profile. But when I first call set_certificate_file, it'll fail with exception "01070317:3: profile test's key and certificate do not match". The same exception can be seen with the web admin UI by changing only either certificate or key using the popup menu and submitting the form.
Can you build transactions consisting of multiple request/response pairs when communicating with a F5 BIG-IP LTM using iControl, sort of like how transactions are known in the field of relational databases? Or is there a way to combine invokations of both set_certificate_file and set_key_file into one SOAP request? Or how is one supposed to use these methods? I'm using Perl and SOAP::Lite. Thanks.
- All iControl calls are isolated transactions. There is no way to bulk them up and issue them all at once with automatic rollback if one of the methods fail. You'll have to build that logic into your management application.
I'll have to dig into the implementation but it might be that you'll have to blank out the certificate and key before you assign new ones. I'll verify this and let you know.
-Joe - I was told by one of the developers that this used to work but that additional validation code has been added that makes the methods not work as expected. We've created a CR to add a new method to supply both the certificate and key to avoid this issue. If you require a Hotfix, I'd suggest you open a support ticket with Product Support. Otherwise, it will make it in the next release.
-Joe 
Tuomas_Jormola_Ok. I think we're waiting for the next release. Will it be fixed in both maintenance and feature releases?
Perhaps there're other similar cases in the API where you can't execute certain methods with some input even though it would make sense if combined with execution of some other method...
e_28390This is a very old thread, but it seems to be the only one that applies to my issue. Was the fix every released? I'm running 10.0.1 and can't seem to get this to work right.
andy_4939I have submitted a ticket to F5 for this issue as I cant get it to work at present either. I see no way of creating a new profile and binding a new key,passphrase, certificate to it in a single call. I will update with the response I get from F5.
Does anyone else know of any way around this as this is a really old thread and I would assume they know of this issue and would have fixed it ????
Tom_Duckering_9I'm seeing this problem too. Is there no way to work around this issue as upgrading to 11 is a pain in the neck.
shadab_8933I am also stuck with the same problem. Unable to modify key and cert of an existing client SSL profile.
- Todd_Cromwell_9V11 has a set_key_certificate_file method, which should solve the problem.
That method was also backported to 10.2.4 HF4.
If you are using v11+ you can also solve this using a transaction.
