bryancall commented on issue #10684:
URL: 
https://github.com/apache/trafficserver/issues/10684#issuecomment-4828154765

   This is an OpenSSL certificate-parsing error surfaced by Traffic Server 
while it loads ssl_multicert.config, not a defect in Traffic Server itself. The 
OpenSSL messages "no start line" and "Expecting: TRUSTED CERTIFICATE" mean the 
file passed in as the certificate could not be parsed as a valid PEM at the 
expected position. Common causes are a certificate file that is not in PEM 
format (for example binary DER), a file with a byte-order mark, stray 
whitespace, or wrong content (such as a certificate authority bundle placed 
where the server certificate is expected), or a missing or empty file. To 
resolve it, confirm each referenced file begins with a proper "-----BEGIN 
CERTIFICATE-----" line and parses cleanly, for example with "openssl x509 -in 
/path/to/cert.pem -noout -text", and that the server certificate and chain are 
in the certificate file with the private key in the key file. randall asked for 
the ssl_multicert.config to help diagnose and there was no follow-up, and the 
issu
 e has since gone stale. The error-reporting path is unchanged on current 
master in src/iocore/net/SSLUtils.cc, so there is nothing in Traffic Server to 
fix here. I am closing this as a configuration support question. If you can 
still reproduce a load failure with a certificate file that is known-valid PEM, 
please reopen with that file's "openssl x509 ... -text" output and your 
ssl_multicert.config and we will take another look.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to