I'm guessing the CA bundle file you're calling in your ATS configuration does not contain the needed root cert to verify the origin cert.
On Sun, Mar 1, 2020, 1:37 PM juergenp[core] <[email protected]> wrote: > Thank you, > > if i call the origin-server directly from browser, the cert and the > certification-path looks good - it uses crt > > i converted the crt-file, i received, to pem. maybe that makes a problem. > > i will check that. > > > thank you for your help. > > > kind regards > > > Juergen > > > > Am 01.03.2020 um 19:24 schrieb Jeremy Payne: > > make sure '/opt/ts/etc/ssl/certs/ca.pem' contains the root cert needed > > to validate the origin server cert. > > > > also ensure your origin is sending the server cert and appropriate > > intermediate cert(s). > > > > > > > > On Sun, Mar 1, 2020 at 11:03 AM Jeremy Payne <[email protected]> wrote: > >> also.. using curl(without the insecure option), can you poll the > >> origin server directly without receiving a certificate error ? > >> > >> > >> On Sun, Mar 1, 2020 at 10:59 AM Jeremy Payne <[email protected]> > wrote: > >>> If ATS to origin cert validation is failing, then you may need to > >>> disable server verify(that's if your company security policy allows). > >>> > >>> Couple different approaches.. > >>> > >>> > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server > >>> > >>> > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy > >>> > >>> > >>> Or simply add the root cert to the ATS CA bundle file. > >>> > >>> > >>> > >>> On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <[email protected]> > wrote: > >>>> Hello, > >>>> > >>>> > >>>> i run ATS10 > >>>> > >>>> the origin server has a private ip with existing DNS entry pointing to > >>>> that (i know unsafe -but it's a work-around - split-dns config is a > bit > >>>> confusing, because ats still does round robin on the dns-servers i > >>>> entered in /etc/resolve.conf) > >>>> > >>>> the certificate i have installed is a wildcard-certificate. > >>>> > >>>> Both, ATS and the origin server, have that certificate installed. > >>>> > >>>> > >>>> this is the error-message: > >>>> > >>>> [Mar 1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate > >>>> verification failed for (www.xxx.at). Action=Continue Error=unable to > >>>> get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2 > >>>> > >>>> > >>>> > >>>> > >>>> the remap.config looks like this: (i had to use the www-mappings > because > >>>> the redirect parameter is ignored - but thats a different issue) > >>>> > >>>> # redirect http://www.xxx.at/ http://xxx.at/ > >>>> # redirect https://www.xxx.at/ https://xxx.at/ > >>>> > >>>> #i tried also: > >>>> > >>>> # redirect http://www.xxx.at/ http://w40.xxx.at/ > >>>> # redirect https://www.xxx.at/ https://w40.xxx.at/ > >>>> > >>>> ------- > >>>> > >>>> map http://www.xxx.at/ http://w40.xxx.at/ > >>>> ##reverse_map http://w40.xxx.at/ http://www.xxx.at/ > >>>> > >>>> map https://www.xxx.at/ https://w40.xxx.at/ > >>>> #reverse_map https://w40.xxx.at/ https://www.xxx.at/ > >>>> > >>>> > >>>> map http://xxx.at/ http://w40xxx.at/ > >>>> reverse_map http://w40.xxx.at/ http://xxx.at/ > >>>> map https://xxx.at/ https://w40.xxx.at/ > >>>> reverse_map https://w40.xxx.at/ https://xxx.at/ > >>>> ------------ > >>>> > >>>> > >>>> ssl-multicert.config > >>>> > >>>> ------------------------ > >>>> > >>>> dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > >>>> ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > >>>> ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > >>>> dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > >>>> ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > >>>> ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > >>>> ----------------------------------- > >>>> > >>>> > >>>> > >>>> > >>>> splitdns.config > >>>> > >>>> ---- > >>>> > >>>> dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" search_list=" > xxx.at" > >>>> dest_domain=!xxx.at named=10.19.0.201 > >>>> ----------- > >>>> > >>>> > >>>> > >>>> >
