You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Megan Wilhite <mw...@ocm.utah.edu> on 2013/10/22 22:45:19 UTC
SSL handshake
I am trying to use SSL for both Client/Traffic Server and Traffic Server/Origin Server connections. Every time I try to connecting with curl -vvv -k https://domain1.com or a web browser I get the message Success with a 502 error.
In the logs it states I get the following errors: ERROR: SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Also when I restart ATS I get the following error in the logs:
ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key
I am certain I am using the right certificate and key for domain 2 and domain 1. And I am sure they are both validated. In fact I setup SSL on the domain2 and tested from the ATS server with curl -vvv -k https://domain2.com and it works. I am using the same certificate and key from this server.
Did I setup something incorrectly?
Here is my remap.config file settings:
Map http://domain1.com:80 http://domain2.com:80
map https://domain1.com:443 https://domain2.com:443
My ssl_multicert.config
dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key
dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer ssl_key_name=domain1.key
My records.config
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.number.threads INT 0
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.compression INT 1
CONFIG proxy.config.ssl.server_ports ssl:443
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
# CONFIG proxy.config.ssl.server.cert.filename
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.server.private_key.filename
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.client.verify.server INT 1
# CONFIG proxy.config.ssl.client.cert.filename STRING
CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.client.private_key.filename STRING
CONFIG proxy.config.ssl.client.private_key.path STRING /usr/local/etc/trafficserver
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver
Each of the certificates and keys have 644 permissions for the same user running traffic_manager/traffic_server
My ATS version is 3.2.0
Any help with why I am getting these errors would be greatly appreciated.
Thanks,
Megan
Re: SSL handshake
Posted by Igor Galić <i....@brainsware.org>.
Well! With 4.1.1 now real soon to be out, you could directly upgrade to that.
The upgrade procedure is the same: https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v4.0
So long,
i
----- Original Message -----
> So I ran both of those openssl commands and they match up.
> So I think I will try upgradiong to 4.0.2. Is there any upgrade path from
> 3.2.0 to 4.0.2?
> From: Igor Galić [mailto:i.galic@brainsware.org]
> Sent: Wednesday, October 23, 2013 12:33 PM
> To: users@trafficserver.apache.org
> Subject: Re: SSL handshake
> Hi Megan,
> first, and fore-most: "My ATS version is 3.2.0", our current latest stable is
> 4.0.2, and we highly recommend upgrading to that version (we also appreciate
> reports about why you won't or cannot upgrade)
> The reason curl is giving you these errors is because SSL isn't actually
> configured properly because:
> """ERROR: SSL ERROR: Cannot use server private key file:
> /usr/local/etc/trafficserver/domain2.key"""
> These errors have been completely reworked in 4.x (I had to switch to the
> 3.2.x code to even find it), but generally it means we were unable to load
> the certificate, as you're not getting a permission error, and as the path
> exists the only explanation left is that the certificate and the key don't
> match up.
> You an verify that with:
> openssl x509 -in path-to-certificate -noout -modulus
> vs
> openssl rsa -in path-to-key -noout -modulus
> One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer
> ssl_key_name=domain2.key""", 443 is default, you can leave that out.
> That's all from me,
> so long,
> i
> ----- Original Message -----
> > I am trying to use SSL for both Client/Traffic Server and Traffic
> > Server/Origin Server connections. Every time I try to connecting with curl
> > –vvv –k https://domain1.com or a web browser I get the message Success with
> > a 502 error.
>
> > In the logs it states I get the following errors: ERROR:
> > SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify failed:s3_clnt.c:1063:
>
> > Also when I restart ATS I get the following error in the logs:
>
> > ERROR: SSL ERROR: Cannot use server private key file:
> > /usr/local/etc/trafficserver/domain2.key
>
> > I am certain I am using the right certificate and key for domain 2 and
> > domain
> > 1. And I am sure they are both validated. In fact I setup SSL on the
> > domain2
> > and tested from the ATS server with curl –vvv –k https://domain2.com and it
> > works. I am using the same certificate and key from this server.
>
> > Did I setup something incorrectly?
>
> > Here is my remap.config file settings:
>
> > Map http://domain1.com:80 http://domain2.com:80
>
> > map https://domain1.com:443 https://domain2.com:443
>
> > My ssl_multicert.config
>
> > dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer
> > ssl_key_name=domain2.key
>
> > dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer
> > ssl_key_name=domain1.key
>
> > My records.config
>
> > CONFIG proxy.config.ssl.enabled INT 1
>
> > CONFIG proxy.config.ssl.number.threads INT 0
>
> > CONFIG proxy.config.ssl.SSLv2 INT 0
>
> > CONFIG proxy.config.ssl.SSLv3 INT 1
>
> > CONFIG proxy.config.ssl.TLSv1 INT 1
>
> > CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
>
> > CONFIG proxy.config.ssl.compression INT 1
>
> > CONFIG proxy.config.ssl.server_ports ssl:443
>
> > CONFIG proxy.config.ssl.client.certification_level INT 0
>
> > CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
>
> > # CONFIG proxy.config.ssl.server.cert.filename
>
> > CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
>
> > CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
>
> > # CONFIG proxy.config.ssl.server.private_key.filename
>
> > CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
>
> > CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
>
> > CONFIG proxy.config.ssl.client.verify.server INT 1
>
> > # CONFIG proxy.config.ssl.client.cert.filename STRING
>
> > CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
>
> > # CONFIG proxy.config.ssl.client.private_key.filename STRING
>
> > CONFIG proxy.config.ssl.client.private_key.path STRING
> > /usr/local/etc/trafficserver
>
> > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
>
> > CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver
>
> > Each of the certificates and keys have 644 permissions for the same user
> > running traffic_manager/traffic_server
>
> > My ATS version is 3.2.0
>
> > Any help with why I am getting these errors would be greatly appreciated.
>
> > Thanks,
>
> > Megan
>
> --
> Igor Galić
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 8716 7A9F 989B ABD5 100F 4008 F266 55D6 2998 1641
RE: SSL handshake
Posted by Megan Wilhite <mw...@ocm.utah.edu>.
So I ran both of those openssl commands and they match up.
So I think I will try upgradiong to 4.0.2. Is there any upgrade path from 3.2.0 to 4.0.2?
From: Igor Galić [mailto:i.galic@brainsware.org]
Sent: Wednesday, October 23, 2013 12:33 PM
To: users@trafficserver.apache.org
Subject: Re: SSL handshake
Hi Megan,
first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we highly recommend upgrading to that version (we also appreciate reports about why you won't or cannot upgrade)
The reason curl is giving you these errors is because SSL isn't actually configured properly because:
"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""
These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even find it), but generally it means we were unable to load the certificate, as you're not getting a permission error, and as the path exists the only explanation left is that the certificate and the key don't match up.
You an verify that with:
openssl x509 -in path-to-certificate -noout -modulus
vs
openssl rsa -in path-to-key -noout -modulus
One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""", 443 is default, you can leave that out.
That's all from me,
so long,
i
________________________________
I am trying to use SSL for both Client/Traffic Server and Traffic Server/Origin Server connections. Every time I try to connecting with curl –vvv –k https://domain1.com or a web browser I get the message Success with a 502 error.
In the logs it states I get the following errors: ERROR: SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Also when I restart ATS I get the following error in the logs:
ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key
I am certain I am using the right certificate and key for domain 2 and domain 1. And I am sure they are both validated. In fact I setup SSL on the domain2 and tested from the ATS server with curl –vvv –k https://domain2.com and it works. I am using the same certificate and key from this server.
Did I setup something incorrectly?
Here is my remap.config file settings:
Map http://domain1.com:80 http://domain2.com:80
map https://domain1.com:443 https://domain2.com:443
My ssl_multicert.config
dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key
dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer ssl_key_name=domain1.key
My records.config
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.number.threads INT 0
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.compression INT 1
CONFIG proxy.config.ssl.server_ports ssl:443
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
# CONFIG proxy.config.ssl.server.cert.filename
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.server.private_key.filename
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.client.verify.server INT 1
# CONFIG proxy.config.ssl.client.cert.filename STRING
CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
# CONFIG proxy.config.ssl.client.private_key.filename STRING
CONFIG proxy.config.ssl.client.private_key.path STRING /usr/local/etc/trafficserver
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver
Each of the certificates and keys have 644 permissions for the same user running traffic_manager/traffic_server
My ATS version is 3.2.0
Any help with why I am getting these errors would be greatly appreciated.
Thanks,
Megan
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org<ma...@brainsware.org>
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
Re: SSL handshake
Posted by Igor Galić <i....@brainsware.org>.
Hi Megan,
first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we highly recommend upgrading to that version (we also appreciate reports about why you won't or cannot upgrade)
The reason curl is giving you these errors is because SSL isn't actually configured properly because:
"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""
These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even find it), but generally it means we were unable to load the certificate, as you're not getting a permission error, and as the path exists the only explanation left is that the certificate and the key don't match up.
You an verify that with:
openssl x509 -in path-to-certificate -noout -modulus
vs
openssl rsa -in path-to-key -noout -modulus
One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""", 443 is default, you can leave that out.
That's all from me,
so long,
i
----- Original Message -----
> I am trying to use SSL for both Client/Traffic Server and Traffic
> Server/Origin Server connections. Every time I try to connecting with curl
> –vvv –k https://domain1.com or a web browser I get the message Success with
> a 502 error.
> In the logs it states I get the following errors: ERROR:
> SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed:s3_clnt.c:1063:
> Also when I restart ATS I get the following error in the logs:
> ERROR: SSL ERROR: Cannot use server private key file:
> /usr/local/etc/trafficserver/domain2.key
> I am certain I am using the right certificate and key for domain 2 and domain
> 1. And I am sure they are both validated. In fact I setup SSL on the domain2
> and tested from the ATS server with curl –vvv –k https://domain2.com and it
> works. I am using the same certificate and key from this server.
> Did I setup something incorrectly?
> Here is my remap.config file settings:
> Map http://domain1.com:80 http://domain2.com:80
> map https://domain1.com:443 https://domain2.com:443
> My ssl_multicert.config
> dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer
> ssl_key_name=domain2.key
> dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer
> ssl_key_name=domain1.key
> My records.config
> CONFIG proxy.config.ssl.enabled INT 1
> CONFIG proxy.config.ssl.number.threads INT 0
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
> CONFIG proxy.config.ssl.compression INT 1
> CONFIG proxy.config.ssl.server_ports ssl:443
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
> # CONFIG proxy.config.ssl.server.cert.filename
> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
> CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
> # CONFIG proxy.config.ssl.server.private_key.filename
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
> CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
> CONFIG proxy.config.ssl.client.verify.server INT 1
> # CONFIG proxy.config.ssl.client.cert.filename STRING
> CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
> # CONFIG proxy.config.ssl.client.private_key.filename STRING
> CONFIG proxy.config.ssl.client.private_key.path STRING
> /usr/local/etc/trafficserver
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
> CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver
> Each of the certificates and keys have 644 permissions for the same user
> running traffic_manager/traffic_server
> My ATS version is 3.2.0
> Any help with why I am getting these errors would be greatly appreciated.
> Thanks,
> Megan
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE