trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Megan Wilhite <>
Subject RE: SSL handshake
Date Wed, 20 Nov 2013 20:44:51 GMT
So I ran both of those openssl commands and they match up.
So I think I will try upgradiong to 4.0.2. Is there any upgrade path from 3.2.0 to 4.0.2?

From: Igor Galić []
Sent: Wednesday, October 23, 2013 12:33 PM
Subject: Re: SSL handshake

Hi Megan,

first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we
highly recommend upgrading to that version (we also appreciate reports about why you won't
or cannot upgrade)

The reason curl is giving you these errors is because SSL isn't actually configured properly

"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""

These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even
find it), but generally it means we were unable to load the certificate, as you're not getting
a permission error, and as the path exists the only explanation left is that the certificate
and the key don't match up.

You an verify that with:

openssl x509 -in path-to-certificate -noout -modulus


openssl rsa -in path-to-key -noout -modulus

One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""",
443 is default, you can leave that out.

That's all from me,

so long,


I am trying to use SSL for both Client/Traffic Server and Traffic Server/Origin Server connections.
Every time I try to connecting with curl –vvv –k or a web browser
I get the message Success with a 502 error.
In the logs it states I get the following errors: ERROR: SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:1063:

Also when I restart ATS I get the following error in the logs:

ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key
I am certain I am using the right certificate and key for domain 2 and domain 1. And I am
sure they are both validated. In fact I setup SSL on the domain2 and tested from the ATS server
with curl –vvv –k and it works. I am using the same certificate and
key from this server.

Did I setup something incorrectly?

Here is my remap.config file settings:


My ssl_multicert.config
dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key
dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer ssl_key_name=domain1.key

My records.config
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.number.threads INT 0
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.compression INT 1
CONFIG proxy.config.ssl.server_ports ssl:443
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
# CONFIG proxy.config.ssl.server.cert.filename
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.server.private_key.filename
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.client.verify.server INT 1
# CONFIG proxy.config.ssl.client.cert.filename STRING
CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.client.private_key.filename STRING
CONFIG proxy.config.ssl.client.private_key.path STRING /usr/local/etc/trafficserver
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver

Each of the certificates and keys have 644 permissions for the same user running traffic_manager/traffic_server

My ATS version is 3.2.0

Any help with why I am getting these errors would be greatly appreciated.


Igor Galić

Tel: +43 (0) 664 886 22 883
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

View raw message