[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14287884#comment-14287884
]
Susan Hinrichs commented on TS-3314:
------------------------------------
The dhparams_file path is calculated relative to the path in
proxy.config.config_dir
So where is your certs directory? When I got the relative path wrong in my
build, I see the same behavior that you describe.
Try putting an absolute path to your .pem file. Or try adjusting the relative
path so it will be correct when combined with the value of your config_dir
parameter.
> SSL errors after upgrade from 5.1.2 -> 5.2.0
> --------------------------------------------
>
> Key: TS-3314
> URL: https://issues.apache.org/jira/browse/TS-3314
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: Andre
> Assignee: Susan Hinrichs
>
> I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
> When I start the trafficserver, I do get errors in the diags.log and https
> sites do not work. Here is an extract of the diags.log:
> {code}
> [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
> configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
> [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
> [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
> [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
> [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
> SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
> server session
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
> SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 66.249.64.77
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
> server session
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
> SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
> server session
> {code}
> Here is what I have in my ssl_multicert.config:
> {code}
> ssl_cert_name=domain1.crt ssl_key_name=domain1.key
> ssl_cert_name=domain2.crt ssl_key_name=domain2.key
> dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
> {code}
> the .crt files contain my certificate and the intermediate certificate, the
> ca is in the truststore.
> There are 3 possible dh params available in the configured certificate
> directory: dh512.pem, dh1024.pem and dh2048.pem
> why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
