bryancall commented on issue #10684: URL: https://github.com/apache/trafficserver/issues/10684#issuecomment-4828154765
This is an OpenSSL certificate-parsing error surfaced by Traffic Server while it loads ssl_multicert.config, not a defect in Traffic Server itself. The OpenSSL messages "no start line" and "Expecting: TRUSTED CERTIFICATE" mean the file passed in as the certificate could not be parsed as a valid PEM at the expected position. Common causes are a certificate file that is not in PEM format (for example binary DER), a file with a byte-order mark, stray whitespace, or wrong content (such as a certificate authority bundle placed where the server certificate is expected), or a missing or empty file. To resolve it, confirm each referenced file begins with a proper "-----BEGIN CERTIFICATE-----" line and parses cleanly, for example with "openssl x509 -in /path/to/cert.pem -noout -text", and that the server certificate and chain are in the certificate file with the private key in the key file. randall asked for the ssl_multicert.config to help diagnose and there was no follow-up, and the issu e has since gone stale. The error-reporting path is unchanged on current master in src/iocore/net/SSLUtils.cc, so there is nothing in Traffic Server to fix here. I am closing this as a configuration support question. If you can still reproduce a load failure with a certificate file that is known-valid PEM, please reopen with that file's "openssl x509 ... -text" output and your ssl_multicert.config and we will take another look. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
