Hi James,
Thanks for the quick reply.
1) This diagnostic tag , where is it to enable this.
There is a 'ssl' diagnostic tag which will log debug information about the
certificate loading and selection processes.
2) Here is the curl command run from a remote server and locally on the proxy
server results.
Run from a remote server(BAD)
[root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/
* About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
* Trying xxx.xx.xx.176... Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
[root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/
* About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
* Trying xxx.xx.xx.176... connected
* Connected to SomeDNSName.abc.xyz.com (xxx.xx.xx.176) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
___________________
run from the proxy server itself(BAD)
user@dave-proxy01:/usr/local/etc/trafficserver$ curl -v
https://SomeDNSName.abc.xyz.com/
* About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
* Trying xxx.xx.xx.176... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
user@dave-proxy01:/usr/local/etc/trafficserver$ curl -v
https://SomeDNSName.abc.xyz.com/
* About to connect() to SomeDNSName.abc.xyz.com port 443 (#0)
* Trying xxx.xx.xx.176... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
_______________
-----Original Message-----
From: James Peach [mailto:[email protected]]
Sent: Wednesday, June 19, 2013 1:26 PM
To: [email protected]
Subject: Re: Apache Traffic Server ver 3.2.4 https setup failing
On Jun 19, 2013, at 10:18 AM, Dave G Gmail Main <[email protected]> wrote:
> Hi I installed ATS Version 3.2.4 on Ubuntu version 12
>
> Configure for http like this :
>
> records.config
>
> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local
>
> CONFIG proxy.config.http.server_ports STRING 80
>
> CONFIG proxy.config.http.connect_ports STRING 443 563
>
> CONFIG proxy.config.reverse_proxy.enabled INT 0
>
> CONFIG proxy.config.url_remap.remap_required INT 0
>
> remap.config
>
> map http://SomeDNSName.abc.xyz.com/
> http://TheRealWebServer.SubDomainName.DomainName.local:8090
>
> start traffic server
>
> Everything works great a get.
>
> I put this in my browser address:
> http://SomeDNSName.abc.xyz.com/
>
> And I get the results I expect.
>
>
>
> But when I configure it to do https, this is when I get errors like “ssl
> connection error” in the browser. But I know my certs and key are good as I
> used them in ATS Version 3.0.4 and they worked fine.
Dave,
This config looks reasonable. There is a 'ssl' diagnostic tag which will log
debug information about the certificate loading and selection processes.
Additionally, 'curl -v' will show you the SSL certificate that is actually
served. Can you post the output of that?
J
>
> Here is my config for https :
>
> records.config
>
> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local
>
> CONFIG proxy.config.http.server_ports STRING 443
>
> CONFIG proxy.config.http.connect_ports STRING 443 563
>
> CONFIG proxy.config.reverse_proxy.enabled INT 0
>
> CONFIG proxy.config.url_remap.remap_required INT 0
>
> CONFIG proxy.config.ssl.server.cert_chain.filename STRING abc.xyz.com.crt
>
> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
>
> CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
>
>
>
> remap.config
>
> map https://SomeDNSName.abc.xyz.com/
> http://TheRealWebServer.SubDomainName.DomainName.local:8090
>
> ssl_multicert.config
>
> dest_ip=* ssl_cert_name=abc.xyz.com.crt ssl_key_name=abc.xyz.com.key
>
> start traffic server
>
> It fails to load the page.
>
> Error.log has these errors
>
> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed'
> body for url 'http://?%?☺7???RE?a?U!????bE???'
> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find
> server.) for 'http://?%?☺7???RE?a?U!????bE???'
> 0130619.12h59m46s BODY_FACTORY: using hardcoded default
> 'request#syntax_error' body for url '/'
> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP
> Request) for '/'
> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed'
> body for url 'http://??s'
> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find
> server.) for 'http://??s'
> 0130619.12h59m49s BODY_FACTORY: using hardcoded default
> 'request#syntax_error' body for url '/'
> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP
> Request) for '/'
> 0130619.12h59m49s BODY_FACTORY: using hardcoded default
> 'request#syntax_error' body for url '/'
> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP
> Request) for '/'
> 0130619.12h59m49s BODY_FACTORY: using hardcoded default
> 'request#syntax_error' body for url '/'
> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP
> Request) for '/'
>
>
>
> Any help would be appreciated.
>
> Let me know if you need more info to help.
>
> Dave
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.3345 / Virus Database: 3199/6407 - Release Date: 06/13/13
