Thank you,
if i call the origin-server directly from browser, the cert and the
certification-path looks good - it uses crt
i converted the crt-file, i received, to pem. maybe that makes a problem.
i will check that.
thank you for your help.
kind regards
Juergen
Am 01.03.2020 um 19:24 schrieb Jeremy Payne:
make sure '/opt/ts/etc/ssl/certs/ca.pem' contains the root cert needed
to validate the origin server cert.
also ensure your origin is sending the server cert and appropriate
intermediate cert(s).
On Sun, Mar 1, 2020 at 11:03 AM Jeremy Payne <[email protected]> wrote:
also.. using curl(without the insecure option), can you poll the
origin server directly without receiving a certificate error ?
On Sun, Mar 1, 2020 at 10:59 AM Jeremy Payne <[email protected]> wrote:
If ATS to origin cert validation is failing, then you may need to
disable server verify(that's if your company security policy allows).
Couple different approaches..
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy
Or simply add the root cert to the ATS CA bundle file.
On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <[email protected]> wrote:
Hello,
i run ATS10
the origin server has a private ip with existing DNS entry pointing to
that (i know unsafe -but it's a work-around - split-dns config is a bit
confusing, because ats still does round robin on the dns-servers i
entered in /etc/resolve.conf)
the certificate i have installed is a wildcard-certificate.
Both, ATS and the origin server, have that certificate installed.
this is the error-message:
[Mar 1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate
verification failed for (www.xxx.at). Action=Continue Error=unable to
get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2
the remap.config looks like this: (i had to use the www-mappings because
the redirect parameter is ignored - but thats a different issue)
# redirect http://www.xxx.at/ http://xxx.at/
# redirect https://www.xxx.at/ https://xxx.at/
#i tried also:
# redirect http://www.xxx.at/ http://w40.xxx.at/
# redirect https://www.xxx.at/ https://w40.xxx.at/
-------
map http://www.xxx.at/ http://w40.xxx.at/
##reverse_map http://w40.xxx.at/ http://www.xxx.at/
map https://www.xxx.at/ https://w40.xxx.at/
#reverse_map https://w40.xxx.at/ https://www.xxx.at/
map http://xxx.at/ http://w40xxx.at/
reverse_map http://w40.xxx.at/ http://xxx.at/
map https://xxx.at/ https://w40.xxx.at/
reverse_map https://w40.xxx.at/ https://xxx.at/
------------
ssl-multicert.config
------------------------
dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem
ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem
ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem
dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem
ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem
ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem
-----------------------------------
splitdns.config
----
dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" search_list="xxx.at"
dest_domain=!xxx.at named=10.19.0.201
-----------
