It worked thanks for the help :)
On 30 June 2017 at 05:30, Reindl Harald <[email protected]> wrote: > "my origin server has CA signed wild card certificate, so what kind of > certificate should I install on traffic server (ex:self signed or ca > signed) and what are the steps to install certificate?" > > that is a very strange question > > a) if you don't want warnings on the clients self-signed > is not a option > > b) when you already have CA signed ones just put them on the proxy > > c) you don't need any certificate at all on the backend - that's what > TLS-offloading is all about > > "what format of the certificate works (.pem or crt or pfx)" - as for > anything else in the openbsource world - PEM - just cat the prvate key, > intermediate-certificates and the certifiate in a file and use it as it's > done for httpd, postfix, dovecot and what not.... > > with the config below you just put our certificates into > "/etc/trafficserver/ssl/" and list the certs in "ssl_multicert.config" > > [root@proxy:~]$ cat /etc/trafficserver/ssl_multicert.config > # optional 'ssl_ca_name=ca_name.crt' when intermediate-certs are not in > the pem-file > ssl_cert_name=thelounge.net.pem > > [root@proxy:~]$ cat /etc/trafficserver/remap.config | grep > www.thelounge.net > map http://www.thelounge.net http://www.thelounge.net > map https://www.thelounge.net http://www.thelounge.net > > [root@proxy:~]$ cat /etc/trafficserver/records.config | grep ssl > CONFIG proxy.config.http.server_ports STRING 80 443:ssl > CONFIG proxy.config.ssl.TLSv1 INT 1 > CONFIG proxy.config.ssl.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.TLSv1_2 INT 1 > CONFIG proxy.config.ssl.client.TLSv1 INT 1 > CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 > CONFIG proxy.config.ssl.client.certification_level INT 0 > CONFIG proxy.config.ssl.server.multicert.filename STRING > ssl_multicert.config > CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.server.private_key.path STRING > /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.server.cipher_suite STRING > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE- > RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- > AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA: > ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA- > CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM- > SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128- > SHA:CAMELLIA256-SHA:!LOW:!MEDIUM > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 > CONFIG proxy.config.ssl.server.dhparams_file STRING > /etc/trafficserver/ssl/dhparams.pem > > > Am 30.06.2017 um 14:19 schrieb $ubbu: > >> Hi, >> >> We are using apache traffic server for caching http sites for a >> quite long time,recently we had to cache https sites . >> >> I took reference of https://docs.trafficserver.apa >> che.org/en/latest/admin-guide/security/index.en.html >> >> But unable to work it out. >> >> I have a few questions >> >> 1.my origin server has CA signed wild card certificate , so what kind of >> certificate should I install on traffic server (ex:self signed or ca >> signed) and what are the steps to install certificate? >> >> 2.what format of the certificate works (.pem or crt or pfx) ? >> >> 3.I have one more link http://www.quobell.nl/blog/apa >> che-traffic-server-ats-as-reverse-proxy-for-outsystems/ >> >> Which I tried with both self signed and ca signed certificates but I >> encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH >> >> Please help me in this process. >> >> Thanks in Advance !!! >> > -- *Regards* *Subrahmanya Prasad P*
