On Jun 19, 2013, at 11:49 AM, Dave G Gmail Main <[email protected]> wrote:
> Hi James, > Thanks for the quick reply. > > 1) This diagnostic tag , where is it to enable this. > > There is a 'ssl' diagnostic tag which will log debug information about the > certificate loading and selection processes. > > 2) Here is the curl command run from a remote server and locally on the > proxy server results. > > Run from a remote server(BAD) > > [root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/ > * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0) > * Trying xxx.xx.xx.176... Connection refused > * couldn't connect to host > * Closing connection #0 > curl: (7) couldn't connect to host > [root@remote-server ~]# curl -v https://SomeDNSName.abc.xyz.com/ > * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0) > * Trying xxx.xx.xx.176... connected > * Connected to SomeDNSName.abc.xyz.com (xxx.xx.xx.176) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * NSS error -5938 Google seems to think that this is PR_END_OF_FILE_ERROR. This probably means that Traffic Server is diconnection (crashing). The fastest way to debug this is probably to run traffic_server by hand. $ sudo /opt/ats/bin/trafficserver stop $ sudo /opt/ats/bin/traffic_server -T ssl > * Closing connection #0 > * SSL connect error > curl: (35) SSL connect error > > > > > ___________________ > > > > run from the proxy server itself(BAD) > > user@dave-proxy01:/usr/local/etc/trafficserver$ curl -v > https://SomeDNSName.abc.xyz.com/ > * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0) > * Trying xxx.xx.xx.176... connected > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > * Closing connection #0 > curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > user@dave-proxy01:/usr/local/etc/trafficserver$ curl -v > https://SomeDNSName.abc.xyz.com/ > * About to connect() to SomeDNSName.abc.xyz.com port 443 (#0) > * Trying xxx.xx.xx.176... connected > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > * Closing connection #0 > curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > > > > > _______________ > > > > > > > > > > > > -----Original Message----- > From: James Peach [mailto:[email protected]] > Sent: Wednesday, June 19, 2013 1:26 PM > To: [email protected] > Subject: Re: Apache Traffic Server ver 3.2.4 https setup failing > > On Jun 19, 2013, at 10:18 AM, Dave G Gmail Main <[email protected]> wrote: > >> Hi I installed ATS Version 3.2.4 on Ubuntu version 12 >> >> Configure for http like this : >> >> records.config >> >> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local >> >> CONFIG proxy.config.http.server_ports STRING 80 >> >> CONFIG proxy.config.http.connect_ports STRING 443 563 >> >> CONFIG proxy.config.reverse_proxy.enabled INT 0 >> >> CONFIG proxy.config.url_remap.remap_required INT 0 >> >> remap.config >> >> map http://SomeDNSName.abc.xyz.com/ >> http://TheRealWebServer.SubDomainName.DomainName.local:8090 >> >> start traffic server >> >> Everything works great a get. >> >> I put this in my browser address: >> http://SomeDNSName.abc.xyz.com/ >> >> And I get the results I expect. >> >> >> >> But when I configure it to do https, this is when I get errors like “ssl >> connection error” in the browser. But I know my certs and key are good as I >> used them in ATS Version 3.0.4 and they worked fine. > > Dave, > > This config looks reasonable. There is a 'ssl' diagnostic tag which will log > debug information about the certificate loading and selection processes. > > Additionally, 'curl -v' will show you the SSL certificate that is actually > served. Can you post the output of that? > > J > > >> >> Here is my config for https : >> >> records.config >> >> CONFIG proxy.config.proxy_name STRING proxy01.DomainName.local >> >> CONFIG proxy.config.http.server_ports STRING 443 >> >> CONFIG proxy.config.http.connect_ports STRING 443 563 >> >> CONFIG proxy.config.reverse_proxy.enabled INT 0 >> >> CONFIG proxy.config.url_remap.remap_required INT 0 >> >> CONFIG proxy.config.ssl.server.cert_chain.filename STRING abc.xyz.com.crt >> >> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver >> >> CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver >> >> >> >> remap.config >> >> map https://SomeDNSName.abc.xyz.com/ >> http://TheRealWebServer.SubDomainName.DomainName.local:8090 >> >> ssl_multicert.config >> >> dest_ip=* ssl_cert_name=abc.xyz.com.crt ssl_key_name=abc.xyz.com.key >> >> start traffic server >> >> It fails to load the page. >> >> Error.log has these errors >> >> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed' >> body for url 'http://?%?☺7???RE?a?U!????bE???' >> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find >> server.) for 'http://?%?☺7???RE?a?U!????bE???' >> 0130619.12h59m46s BODY_FACTORY: using hardcoded default >> 'request#syntax_error' body for url '/' >> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP >> Request) for '/' >> 0130619.12h59m46s BODY_FACTORY: using hardcoded default 'connect#dns_failed' >> body for url 'http://??s' >> 0130619.12h59m46s RESPONSE: sent xxx.xxx.xxx.xxx status 502 (Cannot find >> server.) for 'http://??s' >> 0130619.12h59m49s BODY_FACTORY: using hardcoded default >> 'request#syntax_error' body for url '/' >> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP >> Request) for '/' >> 0130619.12h59m49s BODY_FACTORY: using hardcoded default >> 'request#syntax_error' body for url '/' >> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP >> Request) for '/' >> 0130619.12h59m49s BODY_FACTORY: using hardcoded default >> 'request#syntax_error' body for url '/' >> 0130619.12h59m49s RESPONSE: sent xxx.xxx.xxx.xxx status 400 (Invalid HTTP >> Request) for '/' >> >> >> >> Any help would be appreciated. >> >> Let me know if you need more info to help. >> >> Dave > > > ----- > No virus found in this message. > Checked by AVG - www.avg.com > Version: 2013.0.3345 / Virus Database: 3199/6407 - Release Date: 06/13/13
