Forum Discussion
AltostratusClient-SSL Profile Error: "SSL forward proxy RSA CA key is missing"??
I reproduced the error you observed on 14.1 using the data you posted. Which BIG-IP version are you using?
# curl -sku <user>:<pass> https://<mgmtIp>/mgmt/tm/ltm/profile/client-ssl -X POST \
-H "Content-type: application/json" -d@sat1
{"code":400,"message":"01071610:3: Profile /Common/cssl_my_default's SSL forward proxy RSA CA key is missing.","errorStack":[],"apiError":3}
(the file sat1 contains the data above).
If 14.1, remove tmOptions, proxyCaCert, proxyCaKey, proxySsl and proxySslPassthrough from your post data, and try again.
AltostratusAlso, regarding v.14 and tmOptions, apparently you have to use a cipher group if you want to disable "No TLSv1.3" (this is enabled by default). Here's why this is annoying:
1) "No TLSv1.3" isn't available in v.13, so if you use a cipher string in v.13 client SSL profiles instead of a cipher group, you can't migrate your profile to v.14 via the API without throwing an error saying that the option must be enabled if you aren't using a cipher group. You either have to add that option to the tmOptions value list or create the cipher group on your target BIG-IP beforehand.
2) If I'm not mistaken, you can recreate a cipher string as a cipher group, so your string and group could be virtually the same. Why would the system then require a cipher group if you don't want disable TLSv1.3?
