[
https://issues.apache.org/jira/browse/TS-3376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14315164#comment-14315164
]
Leif Hedstrom commented on TS-3376:
-----------------------------------
Yeah, maybe it's the same? I'm not 100% certain. I don' know why Jira filtered
out my config file, but in my case what happened was that ATS started up in a
"functional" state, it would respond to port 443, but the clients would barf
because the cert chain was not correct. And there was nothing in the logs
indicating that it could not load the cert chain.
I.e. my problem was slightly different than TS-3329, i.e. the cert / key for
the domain exists, but the CA cert chain was not loadable.
If you think it's the same cause / solution, then feel free to close this as
dupe of TS-3329. I think we should fail startup if someone has configured a
missing cert file of any kind.
> Missing cert chain file gives no errors or warnings
> ---------------------------------------------------
>
> Key: TS-3376
> URL: https://issues.apache.org/jira/browse/TS-3376
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> With an ssl_multicert.config of
> {code}
> {code}
> ATS will start up without any (as far as I could tell) errors, even when the
> cert chain file is completely missing. It just silently accepts the config,
> and brings ATS up in a poor state as far as TLS is concerned.
> IMO, we should at a minimum write some very serious warnings and errors on
> this, but maybe even refuse to startup (or reload) the config if the cert
> chain file is missing. This is serious enough that the server is in a
> non-functional state if it happens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
