You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by James Peach <jp...@apache.org> on 2013/07/21 03:43:44 UTC

Re: Apache traffic server wont start with large number of SSL certs defined

On Jul 9, 2013, at 12:26 PM, Kris G. Lindgren <kl...@godaddy.com> wrote:

> Running into an issue with SNI under 3.2.4 - with 100k ssl certs defined in ssl_multicert.config with the following format: ssl_cert_name=<cert>  Traffic server will never start.  It looks like it keeps getting killed by traffic_cop.

It takes me about a minute to load 100K certificates. Krix, can you please file a ticket and I'll investigate what we can do about this ...

> I get the following in the traffic.out:
>  
> [Jul  9 19:17:22.284] Manager {0x7f6aa283c740} ERROR: [LocalManager::pollMgmtProcessServer] Server Process terminated due to Sig 9: Killed
> [Jul  9 19:17:22.284] Manager {0x7f6aa283c740} ERROR:  (last system error 2: No such file or directory)
> [Jul  9 19:17:22.284] Manager {0x7f6aa283c740} ERROR: [Alarms::signalAlarm] Server Process was reset
> [Jul  9 19:17:22.285] Manager {0x7f6aa283c740} ERROR:  (last system error 2: No such file or directory)
> [Jul  9 19:17:23.291] Manager {0x7f6aa283c740} NOTE: [LocalManager::startProxy] Launching ts process
> [TrafficServer] using root directory '/usr'
> [Jul  9 19:17:23.305] Manager {0x7f6aa283c740} NOTE: [LocalManager::pollMgmtProcessServer] New process connecting fd '12'
> [Jul  9 19:17:23.305] Manager {0x7f6aa283c740} NOTE: [Alarms::signalAlarm] Server Process born
> [Jul  9 19:17:24.316] {0x2b5ae88b1a40} STATUS: opened /var/log/trafficserver/diags.log
> [Jul  9 19:17:24.316] {0x2b5ae88b1a40} NOTE: updated diags config
> [Jul  9 19:17:24.322] Server {0x2b5ae88b1a40} NOTE: cache clustering disabled
> [Jul  9 19:17:24.325] Server {0x2b5ae88b1a40} WARNING: no cache disks specified in /etc/trafficserver/storage.config: cache disabled
> [Jul  9 19:17:24.341] Server {0x2b5ae88b1a40} NOTE: cache clustering disabled
> [Jul  9 19:17:24.341] Server {0x2b5ae88b1a40} WARNING: unable to open cache disk(s): Cache Disabled
> [Jul  9 19:17:42.347] Manager {0x7f6aa283c740} ERROR: [LocalManager::pollMgmtProcessServer] Server Process terminated due to Sig 9: Killed
> [Jul  9 19:17:42.347] Manager {0x7f6aa283c740} ERROR:  (last system error 2: No such file or directory)
> [Jul  9 19:17:42.347] Manager {0x7f6aa283c740} ERROR: [Alarms::signalAlarm] Server Process was reset
> [Jul  9 19:17:42.347] Manager {0x7f6aa283c740} ERROR:  (last system error 2: No such file or directory)
> [Jul  9 19:17:43.361] Manager {0x7f6aa283c740} NOTE: [LocalManager::startProxy] Launching ts process
>  
> I would like to be able to reach 500k ssl certs defined.
>  
> Script to create the ssl certs is below.  (its going to take a few hours for the script to run)
>  
> #!/bin/bash
>  
> #Generate the ssl certs
> for ((i=0 ; i < 100001 ; i++));
> do
>         openssl genrsa -out test$i.key 2048
>         openssl req -new -key test$i.key -out test$i.csr -subj /C=US/ST=Arizona/L=Norm/O=Godaddy/OU=Norm/CN=onehundredthousand$i.com
>         openssl x509 -req -days 365 -in test$i.csr -signkey test$i.key -out test$i.crt
>         cat test$i.crt test$i.key > fullpem/onehundredthousand$i.pem
>                 echo "onehundredthousand$i.pem" >> certs
>         rm -rf test$i.*
> done
>  
>  
> #create ssl_multicert.config - if want to test non-SNI uncomment the commented lines below
> #s=240
> #t=0
> #f=1
> #number=100000
>  
> asdf=$( cat certs)
> for i in $asdf
> do
> #        if [ $f -eq 255 ]
> #        then
> #                f=1
> #                t=$((t+1))
> #        fi
> #        if [ $t -eq 255 ]
> #        then
> #                t=0
> #                s=$((s+1))
> #        fi
> #        echo "dest_ip=10.$s.$t.$f   ssl_cert_name=$i" >> ssl_multicert.config
>                 echo "ssl_cert_name=$i" >> ssl_multicert.config
> #        ip addr add dev lo 10.$s.$t.$f/255.255.255.255 2>&1 > /dev/null
> #        f=$((f+1))
> done
> cp ssl_multicert.config /etc/trafficserver/ssl_multicert.config
>  
> ____________________________________________
>  
> Kris Lindgren
> Senior Linux Systems Engineer
> GoDaddy, LLC.
> (480) 505-8800 X7111
> Email: klindgren@godaddy.com
> 
> 
> This email message and any attachment(s) hereto are intended for use only by its intended recipient(s) and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
>