Forum Discussion
NimbostratusError creatin SSL profile
Hello, when creating a new ssl-client profile I get the following error: 01070315:3:profile /Common/web requires a key The import was successful. I used an p12 container for server, intermediate, and root certificate. I checked the container via openssl, the private key is inside. My assumption is that the private key and the server certificate do not match. But this cause a different error code:01070317:3 Version is v11.6.0
Any idea ?
12 Replies
Did you enter a password?
gamm_31377Do you mean the Phasephrase from the Profile ? I tested with and without. The private key from the container is crypted and I entered a the password during the Import. This is strange because I have a second certificate were I have no problems. I've compared both but I cannot see a difference.
Yes Phasephrase. Try changing the cert from .p12 to .pem format.
- gamm_31377
I converted the p12 in 2 pem files: openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
then I made a successfull import of both in one container. The F5 shows a valid RSA certificat & Key But creating a profile fails with the same error code.
Regards
kunjanHow about the similar output of the following cmds
openssl x509 -in /config/filestore/files_d/Common_d/certificate_d/:Common:perApp.crt_35651_1 -modulus -noout | openssl md5 (stdin)= 89c6832100fe205d2d0bc4f56b797e52 openssl rsa -in /config/filestore/files_d/Common_d/certificate_key_d/:Common:perApp.key_35654_1 -modulus -noout | openssl md5 (stdin)= 89c6832100fe205d2d0bc4f56b797e52- gamm_31377
[root@bigip-b:ModuleNotLicensed:Active:Changes Pending] config openssl x509 -in /config/filestore/files_d/Common_d/certificate_d/:Common:web.crt_53868_1 -modulus -noout | openssl md5 (stdin)= a7a4d26bd274e9b6896fd3e806b8a349 [root@bigip-b:ModuleNotLicensed:Active:Changes Pending] config openssl rsa -in /config/filestore/files_d/Common_d/certificate_d/:Common:web.crt_53868_1 -modulus -noout | openssl md5 unable to load Private Key 47934250019968:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY (stdin)= d41d8cd98f00b204e9800998ecf8427e
- kunjan
2nd cmd is for the key, may be like
openssl rsa -in /config/filestore/files_d/Common_d/certificate_key_d/:Common:web.key* -modulus -noout | openssl md5
- gamm_31377
Yes I see ! [root@bigip-b:ModuleNotLicensed:Active:Changes Pending] config openssl x509 -in /config/filestore/files_d/Common_d/certificate_d/:Common:web.crt_53868_1 -modulus -noout | openssl md5 (stdin)= a7a4d26bd274e9b6896fd3e806b8a349 [root@bigip-b:ModuleNotLicensed:Active:Changes Pending] config openssl rsa -in /config/filestore/files_d/Common_d/certificate_key_d/:Common:web.key_53864_1 -modulus -noout | openssl md5 (stdin)= a7a4d26bd274e9b6896fd3e806b8a349
- gamm_31377
After choosing the certificate and key I entered the add button. The textfield below shows now a default.key and I was able to create the profile.
- dialtone21_2256I just stumbled across this problem. The cert key chain works!
JGCumulonimbus
I had exactly the same issue after upgrading to v11.6.0 4 months ago. I was able to work around this using tmsh to create the SSL profile.
I did open a case with F5 Support, and was told I might need to rebuild the mcpd database, which I did a couple of months later when I needed to reboot the device. That fixed the problem.
However, the issue pops up now again. It seems that this happened when I created the profile in an unintended partition and then removed it to create it again in the /Common partition. From what I can see in /config/.trash_bin_d/, the removal did not do a clean job.
Is it safe to remove stuff in /config/.trash_bin_d/.backup_* directories manually?
