make sure '/opt/ts/etc/ssl/certs/ca.pem' contains the root cert needed to validate the origin server cert.
also ensure your origin is sending the server cert and appropriate intermediate cert(s). On Sun, Mar 1, 2020 at 11:03 AM Jeremy Payne <[email protected]> wrote: > > also.. using curl(without the insecure option), can you poll the > origin server directly without receiving a certificate error ? > > > On Sun, Mar 1, 2020 at 10:59 AM Jeremy Payne <[email protected]> wrote: > > > > If ATS to origin cert validation is failing, then you may need to > > disable server verify(that's if your company security policy allows). > > > > Couple different approaches.. > > > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server > > > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy > > > > > > Or simply add the root cert to the ATS CA bundle file. > > > > > > > > On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <[email protected]> wrote: > > > > > > Hello, > > > > > > > > > i run ATS10 > > > > > > the origin server has a private ip with existing DNS entry pointing to > > > that (i know unsafe -but it's a work-around - split-dns config is a bit > > > confusing, because ats still does round robin on the dns-servers i > > > entered in /etc/resolve.conf) > > > > > > the certificate i have installed is a wildcard-certificate. > > > > > > Both, ATS and the origin server, have that certificate installed. > > > > > > > > > this is the error-message: > > > > > > [Mar 1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate > > > verification failed for (www.xxx.at). Action=Continue Error=unable to > > > get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2 > > > > > > > > > > > > > > > the remap.config looks like this: (i had to use the www-mappings because > > > the redirect parameter is ignored - but thats a different issue) > > > > > > # redirect http://www.xxx.at/ http://xxx.at/ > > > # redirect https://www.xxx.at/ https://xxx.at/ > > > > > > #i tried also: > > > > > > # redirect http://www.xxx.at/ http://w40.xxx.at/ > > > # redirect https://www.xxx.at/ https://w40.xxx.at/ > > > > > > ------- > > > > > > map http://www.xxx.at/ http://w40.xxx.at/ > > > ##reverse_map http://w40.xxx.at/ http://www.xxx.at/ > > > > > > map https://www.xxx.at/ https://w40.xxx.at/ > > > #reverse_map https://w40.xxx.at/ https://www.xxx.at/ > > > > > > > > > map http://xxx.at/ http://w40xxx.at/ > > > reverse_map http://w40.xxx.at/ http://xxx.at/ > > > map https://xxx.at/ https://w40.xxx.at/ > > > reverse_map https://w40.xxx.at/ https://xxx.at/ > > > ------------ > > > > > > > > > ssl-multicert.config > > > > > > ------------------------ > > > > > > dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > > > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > > > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > > > dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > > > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > > > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > > > ----------------------------------- > > > > > > > > > > > > > > > splitdns.config > > > > > > ---- > > > > > > dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" > > > search_list="xxx.at" > > > dest_domain=!xxx.at named=10.19.0.201 > > > ----------- > > > > > > > > > > > >
