trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "juergenp[core]" <juerg...@core.at>
Subject Re: Error=unable to get local issuer certificate server
Date Sun, 01 Mar 2020 19:37:55 GMT
Thank you,

if i call the origin-server directly from browser, the cert and the 
certification-path looks good - it uses crt

i converted the crt-file, i received, to pem.  maybe that makes a problem.

i will check that.


thank you for your help.


kind regards


Juergen



Am 01.03.2020 um 19:24 schrieb Jeremy Payne:
> make sure '/opt/ts/etc/ssl/certs/ca.pem' contains the root cert needed
> to validate the origin server cert.
>
> also ensure your origin is sending the server cert and appropriate
> intermediate cert(s).
>
>
>
> On Sun, Mar 1, 2020 at 11:03 AM Jeremy Payne <jp557198@gmail.com> wrote:
>> also.. using curl(without the insecure option), can you poll the
>> origin server directly without receiving a certificate error ?
>>
>>
>> On Sun, Mar 1, 2020 at 10:59 AM Jeremy Payne <jp557198@gmail.com> wrote:
>>> If ATS to origin cert validation is failing, then you may need to
>>> disable server verify(that's if your company security policy allows).
>>>
>>> Couple different approaches..
>>>
>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server
>>>
>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy
>>>
>>>
>>> Or simply add the root cert to the ATS CA bundle file.
>>>
>>>
>>>
>>> On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <juergenp@core.at> wrote:
>>>> Hello,
>>>>
>>>>
>>>> i run ATS10
>>>>
>>>> the origin server has a private ip with existing DNS entry pointing to
>>>> that (i know unsafe -but it's a work-around - split-dns config is a bit
>>>> confusing, because ats still does round robin on the dns-servers i
>>>> entered in /etc/resolve.conf)
>>>>
>>>> the certificate i have installed is  a wildcard-certificate.
>>>>
>>>> Both, ATS and the origin server, have that certificate installed.
>>>>
>>>>
>>>> this is the error-message:
>>>>
>>>> [Mar  1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate
>>>> verification failed for (www.xxx.at). Action=Continue Error=unable to
>>>> get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2
>>>>
>>>>
>>>>
>>>>
>>>> the remap.config looks like this: (i had to use the www-mappings because
>>>> the redirect parameter is ignored - but thats a different issue)
>>>>
>>>> #   redirect     http://www.xxx.at/    http://xxx.at/
>>>>    #  redirect     https://www.xxx.at/   https://xxx.at/
>>>>
>>>> #i tried also:
>>>>
>>>>    #  redirect     http://www.xxx.at/    http://w40.xxx.at/
>>>>     # redirect     https://www.xxx.at/   https://w40.xxx.at/
>>>>
>>>> -------
>>>>
>>>> map http://www.xxx.at/                http://w40.xxx.at/
>>>> ##reverse_map http://w40.xxx.at/            http://www.xxx.at/
>>>>
>>>> map https://www.xxx.at/          https://w40.xxx.at/
>>>> #reverse_map https://w40.xxx.at/          https://www.xxx.at/
>>>>
>>>>
>>>> map http://xxx.at/              http://w40xxx.at/
>>>> reverse_map http://w40.xxx.at/         http://xxx.at/
>>>> map https://xxx.at/               https://w40.xxx.at/
>>>> reverse_map https://w40.xxx.at/           https://xxx.at/
>>>> ------------
>>>>
>>>>
>>>> ssl-multicert.config
>>>>
>>>> ------------------------
>>>>
>>>> dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem
>>>> ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem
>>>> ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem
>>>> dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem
>>>> ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem
>>>> ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem
>>>> -----------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> splitdns.config
>>>>
>>>> ----
>>>>
>>>> dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" search_list="xxx.at"
>>>> dest_domain=!xxx.at named=10.19.0.201
>>>> -----------
>>>>
>>>>
>>>>
>>>>

Mime
View raw message