smalenfant opened a new issue, #9533: URL: https://github.com/apache/trafficserver/issues/9533
I believe the functionality of `proxy.config.ssl.server.multicert.exit_on_load_fail INT 0` has been broken by [9163](https://github.com/apache/trafficserver/pull/9163). This was working well in 8.1.3 and 9.1.3 where a certificate can't prevent ATS from starting TLS properly. Here's the logs I can see in 9.2.0: ``` [Mar 17 15:17:59.749] traffic_server NOTE: ssl_multicert.config loading ... [Mar 17 15:18:02.375] traffic_server ERROR: invalid certificate /opt/trafficserver/etc/trafficserver/ssl/edge_wifi-staging-webview_cdn1_coxlab_net_cert.cer: certificate expired [Mar 17 15:18:02.375] traffic_server ERROR: /opt/trafficserver/etc/trafficserver/ssl_multicert.config failed to load ``` When attempting to connect to a different endpoint in the remap, I get the following in the diags.log: ``` [Mar 17 15:18:02.600] [ET_NET 1] ERROR: SSL::140108205278784:error:0A0000C3:SSL routines::null ssl ctx:ssl/ssl_lib.c:677: peer address is 2001:578:30:9101:68:1:14:151 [Mar 17 15:18:02.602] [ET_NET 1] ERROR: failed to create SSL server session ``` An expired certificate should not prevent ATS from serving HTTPs. I also since the same case with a certificate "key" file missing. The odd behavior is that ATS will still work for HTTP which might fool monitoring system that trafficserver is configured properly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
