+1 to what Dave said. A full cert chain shouldn't be a problem in Traffic Ops. Best to make sure server cert is at the top of the chain, and the rest of the certs are below, in order, with the CA cert last.
__Jason On Tue, May 23, 2017 at 2:15 PM, Dave Neuman <neu...@apache.org> wrote: > Hey Oren, > Yes you can enter an externally created, full-chain certificate in Traffic > Ops; we do this all the time. You shouldn't need to do anything special > besides make sure that the certificate chain is in the correct order. I > think you need to have the server (wildcard first) then the intermediates, > then the root block. If that doesn't work, I would try reversing the > order. > > --Dave > > On Tue, May 23, 2017 at 4:45 AM, Oren Shemesh <or...@qwilt.com> wrote: > > > Hi, > > > > After creating a DS which supports SSL, and using an official certificate > > created by GoDaddy (As opposed to a self-signed certificate generated by > > Ops), we ran into the following issue: > > > > An SSL scan from https://www.ssllabs.com/ssltest , done on > > tr.<ds-name>.<cdn-domain>, complained about the fact that the server's > > certificate chain is incomplete. > > (Do try this tool on your servers, you might find the results > interesting) > > > > I tried pasting the full certificate chain (Made from four blocks, each > > marked with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" > > lines) into Ops, but this made the traffic router's situation worse: It > > consumed the certificate chain with no problem, but now it presents a > > certificate for GoDaddy, instead of a certificate for * > > .<ds-name>.<cdn-domain>. > > So, I guess that when pasting a certificate for a DS via Ops, it only > uses > > the first block in the chain. > > > > A quick check with tomcat documentation shows that in order for it to > > present a full-chain certificate, two different 'keytool -import' > commands > > should be used, one for the 'root' and another for the 'server' (See > > https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html# > > Importing_the_Certificate > > ). > > This might explain the problem: Given the current Ops GUI, I am entering > a > > chain of certificates in one block of text, using it as if it is a > 'server' > > certificate, instead of breaking it into a 'root' and a 'server' > > certificate. > > > > So after all this, here is my question: > > > > Is there a way to use an externally-created, full-chain certificate, in > > Traffic Ops ? > > > > Thanks a lot, Oren. > > > > -- > > > > *Oren Shemesh* > > Qwilt | Work: +972-72-2221637| Mobile: +972-50-2281168 | or...@qwilt.com > > <y...@qwilt.com> > > >
