For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JaiAgarwal's avatar
JaiAgarwal
Icon for Nimbostratus rankNimbostratus
Jun 13, 2022

Error on Updating certificate on a client SSL profile using the REST API

Hi All,

I find the below error response on calling the API to update SSL profile on F5 device. I have already upload the cert and key successfully, but on updating the existing client ssl profile with the new cert and key I get an error.

URL: https://hostname/mgmt/tm/ltm/profile/client-ssl/~Common~profile_name?ver=15.1.2.1

PUT Body:

 

{
  "cert": "/Common/<client-ssl-profile-name>.crt",
  "key": "/Common/<client-ssl-profile-name>.key",
  "chain": "/Common/<client-ssl-profile-name>.crt",
  "passphrase": "<passphrase>"
}

 

Response:

 

{
  "code": 400,
  "message": "\"{ dont-insert-empty-fragments no-tlsv1.3 }\" unexpected argument",
  "errorStack": [],
  "apiError": 26214401
}

 

Please guide me on how to fix this.

Edit: I am using an Administrator account while calling the above PUT request to update client ssl profile with new cert and key.

application delivery
security

4 Replies

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Jun 14, 2022

    Try to use the patch method, which may be a bug, cannot update the existing ssl profile configuration, activate the sni-default function of the ssl profile configuration, use the PATCH method work well, but use the POST method update will fail.

    i also find this problem, i use f5-sdk api to set a exists ssl profile named best-test2, and set its attribute sniDefault='true',i use update() fuction and its equals icontrolrest POST method, but i use modify() function and its equals icontrolrest PATCH method, it works correct

    but i find when i edit its attribute tmOptions,use update() or modify() function all failed, and raise this error:

    HTTP 400 :: {"code":400,"message":"\"{ dont-insert-empty-fragments no-tlsv1.3 }\" unexpected argument","errorStack":[],"apiError":26214401}

    see bigip auit log i find it create this instructions, It is possible that the extra " in front of { causes the tmsh command line syntax error

    modify ltm profile client-ssl /Common/bestpay-test2 { options "{ dont-insert-empty-fragments no-tlsv1.3 }" }
    the tmsh command extra " cause [Syntax Error: "{dont-insert-empty-fragments no-tlsv1.3}" 

    use api linux tmsh bash can solve this problem

  • seamlessfirework's avatar
    seamlessfirework
    Icon for Cirrostratus rankCirrostratus
    Sep 07, 2023

    After one year this problem still exists. I built a workaround in Postman. I defined a new variable in my environment settings. When creating a new SSL profile with a POST I extract the name value and put in the new defined variable. After creating the profile I am sending a second POST with a tmsh command to change the SSL options of the freshly created SSL profile.

    Postman JavaScript Tests Script

    let responseClientSslName=pm.response.json();
console.log(responseClientSslName);
pm.environment.set("f5clientsslname", responseClientSslName.name);

     TMSH JSON code

    {
    "command":"run",
    "utilCmdArgs":"-c 'tmsh modify ltm profile client-ssl {{f5clientsslname}} options { dont-insert-empty-fragments }'"
}

     Hope this helps a bit.