trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: SSL handshake
Date Wed, 23 Oct 2013 18:33:10 GMT
Hi Megan, 

first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we
highly recommend upgrading to that version (we also appreciate reports about why you won't
or cannot upgrade) 

The reason curl is giving you these errors is because SSL isn't actually configured properly
because: 

"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""


These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even
find it), but generally it means we were unable to load the certificate, as you're not getting
a permission error, and as the path exists the only explanation left is that the certificate
and the key don't match up. 

You an verify that with: 

openssl x509 -in path-to-certificate -noout -modulus 

vs 

openssl rsa -in path-to-key -noout -modulus 

One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""",
443 is default, you can leave that out. 

That's all from me, 

so long, 

i 

----- Original Message -----

> I am trying to use SSL for both Client/Traffic Server and Traffic
> Server/Origin Server connections. Every time I try to connecting with curl
> –vvv –k https://domain1.com or a web browser I get the message Success with
> a 502 error.

> In the logs it states I get the following errors: ERROR:
> SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed:s3_clnt.c:1063:

> Also when I restart ATS I get the following error in the logs:

> ERROR: SSL ERROR: Cannot use server private key file:
> /usr/local/etc/trafficserver/domain2.key

> I am certain I am using the right certificate and key for domain 2 and domain
> 1. And I am sure they are both validated. In fact I setup SSL on the domain2
> and tested from the ATS server with curl –vvv –k https://domain2.com and it
> works. I am using the same certificate and key from this server.

> Did I setup something incorrectly?

> Here is my remap.config file settings:

> Map http://domain1.com:80 http://domain2.com:80

> map https://domain1.com:443 https://domain2.com:443

> My ssl_multicert.config

> dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer
> ssl_key_name=domain2.key

> dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer
> ssl_key_name=domain1.key

> My records.config

> CONFIG proxy.config.ssl.enabled INT 1

> CONFIG proxy.config.ssl.number.threads INT 0

> CONFIG proxy.config.ssl.SSLv2 INT 0

> CONFIG proxy.config.ssl.SSLv3 INT 1

> CONFIG proxy.config.ssl.TLSv1 INT 1

> CONFIG proxy.config.ssl.server.honor_cipher_order INT 0

> CONFIG proxy.config.ssl.compression INT 1

> CONFIG proxy.config.ssl.server_ports ssl:443

> CONFIG proxy.config.ssl.client.certification_level INT 0

> CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL

> # CONFIG proxy.config.ssl.server.cert.filename

> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver

> CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver

> # CONFIG proxy.config.ssl.server.private_key.filename

> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL

> CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver

> CONFIG proxy.config.ssl.client.verify.server INT 1

> # CONFIG proxy.config.ssl.client.cert.filename STRING

> CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver

> # CONFIG proxy.config.ssl.client.private_key.filename STRING

> CONFIG proxy.config.ssl.client.private_key.path STRING
> /usr/local/etc/trafficserver

> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL

> CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver

> Each of the certificates and keys have 644 permissions for the same user
> running traffic_manager/traffic_server

> My ATS version is 3.2.0

> Any help with why I am getting these errors would be greatly appreciated.

> Thanks,

> Megan

-- 
Igor Galić 

Tel: +43 (0) 664 886 22 883 
Mail: i.galic@brainsware.org 
URL: http://brainsware.org/ 
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE 

Mime
View raw message