Hi, After creating a DS which supports SSL, and using an official certificate created by GoDaddy (As opposed to a self-signed certificate generated by Ops), we ran into the following issue:
An SSL scan from https://www.ssllabs.com/ssltest , done on tr.<ds-name>.<cdn-domain>, complained about the fact that the server's certificate chain is incomplete. (Do try this tool on your servers, you might find the results interesting) I tried pasting the full certificate chain (Made from four blocks, each marked with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines) into Ops, but this made the traffic router's situation worse: It consumed the certificate chain with no problem, but now it presents a certificate for GoDaddy, instead of a certificate for * .<ds-name>.<cdn-domain>. So, I guess that when pasting a certificate for a DS via Ops, it only uses the first block in the chain. A quick check with tomcat documentation shows that in order for it to present a full-chain certificate, two different 'keytool -import' commands should be used, one for the 'root' and another for the 'server' (See https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate ). This might explain the problem: Given the current Ops GUI, I am entering a chain of certificates in one block of text, using it as if it is a 'server' certificate, instead of breaking it into a 'root' and a 'server' certificate. So after all this, here is my question: Is there a way to use an externally-created, full-chain certificate, in Traffic Ops ? Thanks a lot, Oren. -- *Oren Shemesh* Qwilt | Work: +972-72-2221637| Mobile: +972-50-2281168 | [email protected] <[email protected]>
