Forum Discussion

Al_Estrellas's avatar
Al_Estrellas
Icon for Nimbostratus rankNimbostratus
Nov 25, 2020

How to modify client-ssl on multiple VS using TMSH

Hi,

 

I was able to get the list of virtual servers using cert1 for example by list and grep.

 

Now, I want to use TMSH to use the CLI in replacing client-ssl cert1 to cert2. If I have like 50 VS, how to do that using modify on TMSH?

 

If I do modify /ltm virtual VSname profile add SSLname context clientside, im getting this error:

"vs has more than one clientssl/serverssl profile with same server name"

 

If I do delete, im getting this error:

"Syntax Error: "context" is a read-only property"

 

If I do replace-all-with, cert2 is configured but wipes all other profiles and i don't want to put alot of config to reconfigure all profiles in a VS.

 

Is there a 1 line command I can do?

 

TIA

  • Below command should work to modify SSL Profile on the VS.

     

    tmsh modify ltm virtual [virtual server name] profiles add { [client-ssl profile name] }

     

    For the error that you are getting, do you have multiple client SSL on your VS and one of the profile is acting as default SSL? Please refer below articles.

     

    https://cdn.f5.com/product/bugtracker/ID794493.html

    https://support.f5.com/csp/article/K05426346

     

    • Al_Estrellas's avatar
      Al_Estrellas
      Icon for Nimbostratus rankNimbostratus

      The above solution did not do the trick even I removed the chain, most likely because I am using the same key/certificate just using a different SSL profile to do the test.

       

      I tried using a different key/certificate but also different domain and it worked. On December 2nd week, I'll get the new/replacement cert and will test the procedure in the KB and see if it works on same domain name different key/cert.

       

      Here's the commands for reference:

      modify /ltm virtual https_vs profiles add { newcert-clientssl {context clientside } }  

      modify /ltm virtual https_vs profiles delete { oldcert-clientssl } 

       

      I'll update this on December when I renew cert and will use a different SSL profile.

       

      Thanks for the help.

      • Sean_B's avatar
        Sean_B
        Icon for Nimbostratus rankNimbostratus

        If you are running a script to swap the clientssl profile of VIP, the below will work (you might need to have a standard where all clientssl profiles actually start with with word clientssl though)


        modify /ltm virtual https_vs profiles delete { clientssl* } 
        modify /ltm virtual https_vs profiles add { newcert-clientssl {context clientside } }