Forum Discussion

Tuomas_Jormola_'s avatar
Tuomas_Jormola_
Icon for Nimbostratus rankNimbostratus
Mar 27, 2006

Changing certificates and keys of an SSL profile with LocalLB ProfileClientSSL set_certificate_file, set_key_file

Hello,

 

 

I'd like to use LocalLB::ProfileClientSSL::set_certificate_file/set_key_file methods to change the certificate and key assigned to an SSL profile. But when I first call set_certificate_file, it'll fail with exception "01070317:3: profile test's key and certificate do not match". The same exception can be seen with the web admin UI by changing only either certificate or key using the popup menu and submitting the form.

 

 

Can you build transactions consisting of multiple request/response pairs when communicating with a F5 BIG-IP LTM using iControl, sort of like how transactions are known in the field of relational databases? Or is there a way to combine invokations of both set_certificate_file and set_key_file into one SOAP request? Or how is one supposed to use these methods? I'm using Perl and SOAP::Lite. Thanks.
dev
devops
iControl

8 Replies

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Mar 27, 2006
    All iControl calls are isolated transactions. There is no way to bulk them up and issue them all at once with automatic rollback if one of the methods fail. You'll have to build that logic into your management application.

     

     

    I'll have to dig into the implementation but it might be that you'll have to blank out the certificate and key before you assign new ones. I'll verify this and let you know.

     

     

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Mar 28, 2006
    I was told by one of the developers that this used to work but that additional validation code has been added that makes the methods not work as expected. We've created a CR to add a new method to supply both the certificate and key to avoid this issue. If you require a Hotfix, I'd suggest you open a support ticket with Product Support. Otherwise, it will make it in the next release.

     

     

    -Joe
  • Tuomas_Jormola_'s avatar
    Tuomas_Jormola_
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2006
    Ok. I think we're waiting for the next release. Will it be fixed in both maintenance and feature releases?

     

     

    Perhaps there're other similar cases in the API where you can't execute certain methods with some input even though it would make sense if combined with execution of some other method...
  • e_28390's avatar
    e_28390
    Icon for Nimbostratus rankNimbostratus
    May 14, 2010
    This is a very old thread, but it seems to be the only one that applies to my issue. Was the fix every released? I'm running 10.0.1 and can't seem to get this to work right.
  • andy_4939's avatar
    andy_4939
    Icon for Nimbostratus rankNimbostratus
    Jul 07, 2010
    I have submitted a ticket to F5 for this issue as I cant get it to work at present either. I see no way of creating a new profile and binding a new key,passphrase, certificate to it in a single call. I will update with the response I get from F5.

     

     

    Does anyone else know of any way around this as this is a really old thread and I would assume they know of this issue and would have fixed it ????

     

  • Tom_Duckering_9's avatar
    Tom_Duckering_9
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2012
    I'm seeing this problem too. Is there no way to work around this issue as upgrading to 11 is a pain in the neck.
  • shadab_8933's avatar
    shadab_8933
    Icon for Nimbostratus rankNimbostratus
    Aug 02, 2012

    I am also stuck with the same problem. Unable to modify key and cert of an existing client SSL profile.

     

     

     

  • Todd_Cromwell_9's avatar
    Todd_Cromwell_9
    Icon for Nimbostratus rankNimbostratus
    Dec 07, 2012
    V11 has a set_key_certificate_file method, which should solve the problem.

     

    That method was also backported to 10.2.4 HF4.

     

    If you are using v11+ you can also solve this using a transaction.