trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: SSL for trafficserver
Date Fri, 30 Jun 2017 12:30:36 GMT
"my origin server has CA signed wild card certificate, so what kind of 
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?"

that is a very strange question

a) if you don't want warnings on the clients self-signed
    is not a option

b) when you already have CA signed ones just put them on the proxy

c) you don't need any certificate at all on the backend - that's what 
TLS-offloading is all about

"what format of the certificate works (.pem or crt or pfx)" - as for 
anything else in the openbsource world - PEM - just cat the prvate key, 
intermediate-certificates and the certifiate in a file and use it as 
it's done for httpd, postfix, dovecot and what not....

with the config below you just put our certificates into 
"/etc/trafficserver/ssl/" and list the certs in "ssl_multicert.config"

[root@proxy:~]$ cat /etc/trafficserver/ssl_multicert.config
# optional 'ssl_ca_name=ca_name.crt' when intermediate-certs are not in 
the pem-file

[root@proxy:~]$ cat /etc/trafficserver/remap.config | grep

[root@proxy:~]$ cat /etc/trafficserver/records.config | grep ssl
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING 
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING 
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING 
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING 

Am 30.06.2017 um 14:19 schrieb $ubbu:
> Hi,
>       We are using apache traffic server for caching http sites for a 
> quite long time,recently we had to cache https sites .
> I took reference of 
> But unable to work it out.
> I have a few questions
> origin server has CA signed wild card certificate , so what kind of 
> certificate should I install on traffic server (ex:self signed or ca 
> signed) and what are the steps to install certificate?
> 2.what format of the certificate works (.pem or crt or pfx) ?
> 3.I have one more link 
> Which I tried with both self signed and ca signed certificates but I 
> encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>     Please help me in this process.
> Thanks in Advance !!!

View raw message