trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Apache Traffic Server ver 3.2.4 https setup failing
Date Wed, 19 Jun 2013 20:26:17 GMT
On Jun 19, 2013, at 11:49 AM, Dave G Gmail Main <davmgingras@gmail.com> wrote:

> Hi James,
> 	Thanks for the quick reply.
> 
> 1) This diagnostic tag , where is it to enable this.
> 
> There is a 'ssl' diagnostic tag which will log debug information about the certificate
loading and selection processes.
> 
> 2)  Here is the curl command run from a remote server and locally on the proxy server
results.
> 
> Run from a remote server(BAD)
> 
> [root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/
> * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
> *   Trying xxx.xx.xx.176... Connection refused
> * couldn't connect to host
> * Closing connection #0
> curl: (7) couldn't connect to host
> [root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/
> * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
> *   Trying xxx.xx.xx.176... connected
> * Connected to SomeDNSName.abc.xyz.com (xxx.xx.xx.176) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CApath: none
> * NSS error -5938

Google seems to think that this is PR_END_OF_FILE_ERROR. This probably means that Traffic
Server is diconnection (crashing).

The fastest way to debug this is probably to run traffic_server by hand.

	$ sudo /opt/ats/bin/trafficserver stop
	$ sudo /opt/ats/bin/traffic_server -T ssl



> * Closing connection #0
> * SSL connect error
> curl: (35) SSL connect error
> 
> 
> 
> 
> ___________________
> 
> 
> 
> run from the proxy server itself(BAD)
> 
> user@dave-proxy01:/usr/local/etc/trafficserver$ curl  -v https://SomeDNSName.abc.xyz.com/
> * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
> *   Trying xxx.xx.xx.176... connected
> * successfully set certificate verify locations:
> *   CAfile: none
>  CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> * Closing connection #0
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> user@dave-proxy01:/usr/local/etc/trafficserver$ curl  -v https://SomeDNSName.abc.xyz.com/
> * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
> *   Trying xxx.xx.xx.176... connected
> * successfully set certificate verify locations:
> *   CAfile: none
>  CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> * Closing connection #0
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> 
> 
> 
> 
> _______________
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: James Peach [mailto:jpeach@apache.org] 
> Sent: Wednesday, June 19, 2013 1:26 PM
> To: users@trafficserver.apache.org
> Subject: Re: Apache Traffic Server ver 3.2.4 https setup failing
> 
> On Jun 19, 2013, at 10:18 AM, Dave G Gmail Main <davmgingras@gmail.com> wrote:
> 
>> Hi I installed ATS Version 3.2.4 on Ubuntu version 12
>> 
>> Configure for http like this :
>> 
>> records.config
>> 
>> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local
>> 
>> CONFIG proxy.config.http.server_ports STRING 80
>> 
>> CONFIG proxy.config.http.connect_ports STRING 443 563
>> 
>> CONFIG proxy.config.reverse_proxy.enabled INT 0
>> 
>> CONFIG proxy.config.url_remap.remap_required INT 0
>> 
>> remap.config
>> 
>> map http://SomeDNSName.abc.xyz.com/ http://TheRealWebServer.SubDomainName.DomainName.local:8090
>> 
>> start traffic server
>> 
>> Everything works great a get.
>> 
>> I put this in my browser address:
>> http://SomeDNSName.abc.xyz.com/
>> 
>> And I get the results I expect.
>> 
>> 
>> 
>> But when I configure it to do https, this is when I get errors like  “ssl connection
error” in the browser. But I know my certs and key are good as I used them in ATS Version
3.0.4 and they worked fine.
> 
> Dave,
> 
> This config looks reasonable. There is a 'ssl' diagnostic tag which will log debug information
about the certificate loading and selection processes.
> 
> Additionally, 'curl -v' will show you the SSL certificate that is actually served. Can
you post the output of that?
> 
> J
> 
> 
>> 
>> Here is my config for https :
>> 
>> records.config
>> 
>> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local
>> 
>> CONFIG proxy.config.http.server_ports STRING 443
>> 
>> CONFIG proxy.config.http.connect_ports STRING 443 563
>> 
>> CONFIG proxy.config.reverse_proxy.enabled INT 0
>> 
>> CONFIG proxy.config.url_remap.remap_required INT 0
>> 
>> CONFIG proxy.config.ssl.server.cert_chain.filename STRING abc.xyz.com.crt
>> 
>> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
>> 
>> CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
>> 
>> 
>> 
>> remap.config
>> 
>> map https://SomeDNSName.abc.xyz.com/ http://TheRealWebServer.SubDomainName.DomainName.local:8090
>> 
>> ssl_multicert.config
>> 
>> dest_ip=*       ssl_cert_name=abc.xyz.com.crt ssl_key_name=abc.xyz.com.key
>> 
>> start traffic server
>> 
>> It fails to load the page.
>> 
>> Error.log has these errors
>> 
>> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed' body
for url 'http://?%?☺7???RE?a?U!????bE???'
>> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find server.)
for 'http://?%?☺7???RE?a?U!????bE???'
>> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'request#syntax_error' body
for url '/'
>> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP Request)
for '/'
>> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed' body
for url 'http://??s'
>> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find server.)
for 'http://??s'
>> 0130619.12h59m49s BODY_FACTORY: using hardcoded default 'request#syntax_error' body
for url '/'
>> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP Request)
for '/'
>> 0130619.12h59m49s BODY_FACTORY: using hardcoded default 'request#syntax_error' body
for url '/'
>> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP Request)
for '/'
>> 0130619.12h59m49s BODY_FACTORY: using hardcoded default 'request#syntax_error' body
for url '/'
>> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP Request)
for '/'
>> 
>> 
>> 
>> Any help would be appreciated.
>> 
>> Let me know if you need more info to help.
>> 
>> Dave
> 
> 
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2013.0.3345 / Virus Database: 3199/6407 - Release Date: 06/13/13


Mime
View raw message