Hi Ketan, I ll try to get you the perms I used. Regards Anshu Prateek On Mar 22, 2013 7:29 PM, "Ketan Mehta" <[email protected]> wrote:
> Hi Anshu,**** > > ** ** > > The permission are same for cert/key on both the server.**** > > ** ** > > @marswrk,**** > > ** ** > > I changed the certificate to PEM format with no password and restarted > Traffiserver and webserver, but still it is not working. I’m not using > ssl_multicert.config.**** > > ** ** > > [root@webserver ~]# netstat -tanp**** > > Active Internet connections (servers and established)**** > > Proto Recv-Q Send-Q Local Address Foreign > Address State PID/Program name**** > > tcp 0 0 0.0.0.0:4000 0.0.0.0:* > LISTEN 26418/httpd**** > > tcp 0 0 0.0.0.0:4001 0.0.0.0:* > LISTEN 26418/httpd**** > > tcp 0 0 0.0.0.0:5000 0.0.0.0:* > LISTEN 26418/httpd**** > > tcp 0 0 0.0.0.0:5001 0.0.0.0:* > LISTEN 26418/httpd**** > > ** ** > > [root@cacheserver trafficserver]# netstat -tanp**** > > Active Internet connections (servers and established)**** > > Proto Recv-Q Send-Q Local Address Foreign > Address State PID/Program name**** > > tcp 0 0 0.0.0.0:80 0.0.0.0:* > LISTEN 22332/traffic_manag**** > > tcp 0 0 0.0.0.0:8083 0.0.0.0:* > LISTEN 22332/traffic_manag**** > > tcp 0 0 127.0.0.1:8084 0.0.0.0:* > LISTEN 22341/traffic_serve**** > > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN 22332/traffic_manag**** > > ** ** > > *From:* [email protected] [mailto:[email protected]] > *Sent:* 22 March 2013 02:32 > *To:* [email protected] > *Subject:* Re: Trafficserver and HTTPS (SSL Termination)**** > > ** ** > > I had a problem with my https too. I fixed by making sure certificate file > in PEM format. Also removed password that was used to protect cert. > Did you restart trafficserver? My first config did not take effect and the > port was not actually listening yet. > > And since it was a work network also needed to get the firewall > permissions updated. > > I joined recently did I miss the ssl_multicert.config post? > Were there any relevant error messages in the log files?**** > > Sent on the Sprint® Now Network from my BlackBerry®**** > ------------------------------ > > *From: *Anshu Prateek <[email protected]> **** > > *Sender: *[email protected] **** > > *Date: *Thu, 21 Mar 2013 23:08:18 +0530**** > > *To: *<[email protected]>**** > > *ReplyTo: *[email protected] **** > > *Subject: *Re: Trafficserver and HTTPS (SSL Termination)**** > > ** ** > > Had seen this issue a while back, the file permissions of the SSL cert > files/keys were the main culprit. The file permisssion for the certs/keys > should be the same as how they are under http server. (the read permission > to all for key was one of the problems).**** > > regards > Anshu Prateek**** > > ** ** > > On Thu, Mar 21, 2013 at 8:46 PM, Ketan Mehta < > [email protected]> wrote:**** > > Hi All,**** > > **** > > I'm trying to build the cache solution using Apache Traffic Server (ATS). > I'm trying to build a test environment with 2 servers. I have installed > ATS-3.2 on one of the server (Cacheserver) and Apache web on the other > (Webserver). **** > > **** > > On *Webserver*, I have configure two website www.web1.com and www.web2.com. > It is configured to listen on port 4000, 40001 for HTTP requests and 5000, > 5001 for HTTPS requests. I'm using self-signed certificate for those > website.**** > > **** > > On *Cacheserver*, I have configured Traffic Server to listen on port 80 > and 443 for HTTP and HTTPS requests. **** > > **** > > Both the websites are working fine when I point web browser to > webserver(HTTP & HTPPS requests), but when I point it to Cacheserver HTTP > request works, but HTTPS requests end up with error.**** > > **** > > *[root@cacheserver ~]# **curl -k -v https://www.web1.com***** > > ** About to connect() to www.web1.com port 443***** > > ** Trying 172.16.89.32... connected***** > > ** Connected to www.web1.com (172.16.89.32) port 443***** > > ** successfully set certificate verify locations:***** > > ** CAfile: /etc/pki/tls/certs/ca-bundle.crt***** > > * CApath: none ***** > > ** SSLv2, Client hello (1):***** > > *error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol***** > > ** Closing connection #0***** > > *curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol***** > > **** > > All the certificates and keys are located under etc/trafficserver/ssl on > Cacheserver. I’ve copied webserver-cert.crt and webserver-key.key from the > Webserver. **** > > **** > > [root@cacheserver ls -l /opt/ats/etc/trafficserver/ssl**** > > -rw-r--r-- 1 root root 6334 Mar 21 14:48 cachesvr-bundle.crt**** > > -rw-r--r-- 1 root root 6146 Mar 21 14:43 originsvr-bundle.crt**** > > -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web1.com.key**** > > -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web2.com.key**** > > **** > > Below are the configuration of remap.config and records.config files.**** > > **** > > #### Record.config ##########**** > > CONFIG proxy.config.ssl.number.threads INT 0**** > > CONFIG proxy.config.ssl.SSLv2 INT 0**** > > CONFIG proxy.config.ssl.SSLv3 INT 1**** > > CONFIG proxy.config.ssl.TLSv1 INT 1**** > > CONFIG proxy.config.ssl.server.cipher_suite STRING > RC4+RSA:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:!eNULL:!aNULL:!EXP:!LOW:!ADH:!EDH > **** > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 0**** > > CONFIG proxy.config.ssl.compression INT 0**** > > CONFIG proxy.config.ssl.client.certification_level INT 1**** > > CONFIG proxy.config.ssl.server.cert_chain.filename STRING * > cachesvr-bundle.crt***** > > CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl**** > > CONFIG proxy.config.ssl.server.private_key.path STRING > etc/trafficserver/ssl**** > > CONFIG proxy.config.ssl.CA.cert.filename STRING NULL**** > > CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver**** > > ################################**** > > # client related configuration #**** > > ################################**** > > CONFIG proxy.config.ssl.client.verify.server INT 0**** > > CONFIG proxy.config.ssl.client.cert.filename STRING *originsvr-bundle.crt* > **** > > CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl**** > > CONFIG proxy.config.ssl.client.private_key.filename STRING NULL**** > > CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver** > ** > > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL**** > > CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver**** > > **** > > #### remap.config #####**** > > map http://www.web1.com http://webserver:4000**** > > reverse_map http://webserver:4000 http://www.web1.com**** > > map http://www.web2.com http://webserver:4001**** > > reverse_map http://webserver:4001 http://www.web2.com**** > > map https://www.web1.com https://webserver:5000**** > > reverse_map http://webserver:5000 https://www.web1.com**** > > map https://www.web2.com https://webserver:5001**** > > reverse_map https://webserver:5001 https://www.web2.com**** > > **** > > What I'm trying to achieve is**** > > **** > > Client --Http--> Cache server --Http-->Origin server (http://www.web1.comand > http://www.web2.com)**** > > Client --Https--> Cache server --Https-->Origin server ( > http://www.web1.com and http://www.web2.com)**** > > **** > > But it doesn't work with https. What I’m doing wrong here.**** > > **** > > Let me know if anything is not clear.**** > > **** > > Thanks,**** > > Ketan**** > > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If > you received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the > individual sender and not of The Rank Group Plc. The Rank Group Plc accepts > no liability or responsibility for any onward transmission or use of > e-mails and attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure > Holdings Limited - Company Registration No. 01841255; Rank Group Gaming > Division Limited - Company Registration No. 03213743; Grosvenor Casinos > Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company > Registration No. 01854120; Rank Leisure Limited - Company Registration No. > 03417930; Rank Limited - Company Registration No. 03211794, all of which > are registered in England and Wales and have their registered office at: > Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England. **** > ------------------------------ > > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com **** > ------------------------------ > > ** ** > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If > you received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the > individual sender and not of The Rank Group Plc. The Rank Group Plc accepts > no liability or responsibility for any onward transmission or use of > e-mails and attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure > Holdings Limited - Company Registration No. 01841255; Rank Group Gaming > Division Limited - Company Registration No. 03213743; Grosvenor Casinos > Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company > Registration No. 01854120; Rank Leisure Limited - Company Registration No. > 03417930; Rank Limited - Company Registration No. 03211794, all of which > are registered in England and Wales and have their registered office at: > Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England. > ------------------------------ > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com > ------------------------------ >
