Well! With 4.1.1 now real soon to be out, you could directly upgrade to that.
The upgrade procedure is the same: https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v4.0 So long, i ----- Original Message ----- > So I ran both of those openssl commands and they match up. > So I think I will try upgradiong to 4.0.2. Is there any upgrade path from > 3.2.0 to 4.0.2? > From: Igor Galić [mailto:[email protected]] > Sent: Wednesday, October 23, 2013 12:33 PM > To: [email protected] > Subject: Re: SSL handshake > Hi Megan, > first, and fore-most: "My ATS version is 3.2.0", our current latest stable is > 4.0.2, and we highly recommend upgrading to that version (we also appreciate > reports about why you won't or cannot upgrade) > The reason curl is giving you these errors is because SSL isn't actually > configured properly because: > """ERROR: SSL ERROR: Cannot use server private key file: > /usr/local/etc/trafficserver/domain2.key""" > These errors have been completely reworked in 4.x (I had to switch to the > 3.2.x code to even find it), but generally it means we were unable to load > the certificate, as you're not getting a permission error, and as the path > exists the only explanation left is that the certificate and the key don't > match up. > You an verify that with: > openssl x509 -in path-to-certificate -noout -modulus > vs > openssl rsa -in path-to-key -noout -modulus > One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer > ssl_key_name=domain2.key""", 443 is default, you can leave that out. > That's all from me, > so long, > i > ----- Original Message ----- > > I am trying to use SSL for both Client/Traffic Server and Traffic > > Server/Origin Server connections. Every time I try to connecting with curl > > –vvv –k https://domain1.com or a web browser I get the message Success with > > a 502 error. > > > In the logs it states I get the following errors: ERROR: > > SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > verify failed:s3_clnt.c:1063: > > > Also when I restart ATS I get the following error in the logs: > > > ERROR: SSL ERROR: Cannot use server private key file: > > /usr/local/etc/trafficserver/domain2.key > > > I am certain I am using the right certificate and key for domain 2 and > > domain > > 1. And I am sure they are both validated. In fact I setup SSL on the > > domain2 > > and tested from the ATS server with curl –vvv –k https://domain2.com and it > > works. I am using the same certificate and key from this server. > > > Did I setup something incorrectly? > > > Here is my remap.config file settings: > > > Map http://domain1.com:80 http://domain2.com:80 > > > map https://domain1.com:443 https://domain2.com:443 > > > My ssl_multicert.config > > > dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer > > ssl_key_name=domain2.key > > > dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer > > ssl_key_name=domain1.key > > > My records.config > > > CONFIG proxy.config.ssl.enabled INT 1 > > > CONFIG proxy.config.ssl.number.threads INT 0 > > > CONFIG proxy.config.ssl.SSLv2 INT 0 > > > CONFIG proxy.config.ssl.SSLv3 INT 1 > > > CONFIG proxy.config.ssl.TLSv1 INT 1 > > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 0 > > > CONFIG proxy.config.ssl.compression INT 1 > > > CONFIG proxy.config.ssl.server_ports ssl:443 > > > CONFIG proxy.config.ssl.client.certification_level INT 0 > > > CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL > > > # CONFIG proxy.config.ssl.server.cert.filename > > > CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver > > > CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver > > > # CONFIG proxy.config.ssl.server.private_key.filename > > > CONFIG proxy.config.ssl.CA.cert.filename STRING NULL > > > CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver > > > CONFIG proxy.config.ssl.client.verify.server INT 1 > > > # CONFIG proxy.config.ssl.client.cert.filename STRING > > > CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver > > > # CONFIG proxy.config.ssl.client.private_key.filename STRING > > > CONFIG proxy.config.ssl.client.private_key.path STRING > > /usr/local/etc/trafficserver > > > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL > > > CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver > > > Each of the certificates and keys have 644 permissions for the same user > > running traffic_manager/traffic_server > > > My ATS version is 3.2.0 > > > Any help with why I am getting these errors would be greatly appreciated. > > > Thanks, > > > Megan > > -- > Igor Galić > Tel: +43 (0) 664 886 22 883 > Mail: [email protected] > URL: http://brainsware.org/ > GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: [email protected] URL: http://brainsware.org/ GPG: 8716 7A9F 989B ABD5 100F 4008 F266 55D6 2998 1641
