On Jul 9, 2013, at 12:26 PM, Kris G. Lindgren <[email protected]> wrote:
> Running into an issue with SNI under 3.2.4 - with 100k ssl certs defined in
> ssl_multicert.config with the following format: ssl_cert_name=<cert> Traffic
> server will never start. It looks like it keeps getting killed by
> traffic_cop.
It takes me about a minute to load 100K certificates. Krix, can you please file
a ticket and I'll investigate what we can do about this ...
> I get the following in the traffic.out:
>
> [Jul 9 19:17:22.284] Manager {0x7f6aa283c740} ERROR:
> [LocalManager::pollMgmtProcessServer] Server Process terminated due to Sig 9:
> Killed
> [Jul 9 19:17:22.284] Manager {0x7f6aa283c740} ERROR: (last system error 2:
> No such file or directory)
> [Jul 9 19:17:22.284] Manager {0x7f6aa283c740} ERROR: [Alarms::signalAlarm]
> Server Process was reset
> [Jul 9 19:17:22.285] Manager {0x7f6aa283c740} ERROR: (last system error 2:
> No such file or directory)
> [Jul 9 19:17:23.291] Manager {0x7f6aa283c740} NOTE:
> [LocalManager::startProxy] Launching ts process
> [TrafficServer] using root directory '/usr'
> [Jul 9 19:17:23.305] Manager {0x7f6aa283c740} NOTE:
> [LocalManager::pollMgmtProcessServer] New process connecting fd '12'
> [Jul 9 19:17:23.305] Manager {0x7f6aa283c740} NOTE: [Alarms::signalAlarm]
> Server Process born
> [Jul 9 19:17:24.316] {0x2b5ae88b1a40} STATUS: opened
> /var/log/trafficserver/diags.log
> [Jul 9 19:17:24.316] {0x2b5ae88b1a40} NOTE: updated diags config
> [Jul 9 19:17:24.322] Server {0x2b5ae88b1a40} NOTE: cache clustering disabled
> [Jul 9 19:17:24.325] Server {0x2b5ae88b1a40} WARNING: no cache disks
> specified in /etc/trafficserver/storage.config: cache disabled
> [Jul 9 19:17:24.341] Server {0x2b5ae88b1a40} NOTE: cache clustering disabled
> [Jul 9 19:17:24.341] Server {0x2b5ae88b1a40} WARNING: unable to open cache
> disk(s): Cache Disabled
> [Jul 9 19:17:42.347] Manager {0x7f6aa283c740} ERROR:
> [LocalManager::pollMgmtProcessServer] Server Process terminated due to Sig 9:
> Killed
> [Jul 9 19:17:42.347] Manager {0x7f6aa283c740} ERROR: (last system error 2:
> No such file or directory)
> [Jul 9 19:17:42.347] Manager {0x7f6aa283c740} ERROR: [Alarms::signalAlarm]
> Server Process was reset
> [Jul 9 19:17:42.347] Manager {0x7f6aa283c740} ERROR: (last system error 2:
> No such file or directory)
> [Jul 9 19:17:43.361] Manager {0x7f6aa283c740} NOTE:
> [LocalManager::startProxy] Launching ts process
>
> I would like to be able to reach 500k ssl certs defined.
>
> Script to create the ssl certs is below. (its going to take a few hours for
> the script to run)
>
> #!/bin/bash
>
> #Generate the ssl certs
> for ((i=0 ; i < 100001 ; i++));
> do
> openssl genrsa -out test$i.key 2048
> openssl req -new -key test$i.key -out test$i.csr -subj
> /C=US/ST=Arizona/L=Norm/O=Godaddy/OU=Norm/CN=onehundredthousand$i.com
> openssl x509 -req -days 365 -in test$i.csr -signkey test$i.key -out
> test$i.crt
> cat test$i.crt test$i.key > fullpem/onehundredthousand$i.pem
> echo "onehundredthousand$i.pem" >> certs
> rm -rf test$i.*
> done
>
>
> #create ssl_multicert.config - if want to test non-SNI uncomment the
> commented lines below
> #s=240
> #t=0
> #f=1
> #number=100000
>
> asdf=$( cat certs)
> for i in $asdf
> do
> # if [ $f -eq 255 ]
> # then
> # f=1
> # t=$((t+1))
> # fi
> # if [ $t -eq 255 ]
> # then
> # t=0
> # s=$((s+1))
> # fi
> # echo "dest_ip=10.$s.$t.$f ssl_cert_name=$i" >> ssl_multicert.config
> echo "ssl_cert_name=$i" >> ssl_multicert.config
> # ip addr add dev lo 10.$s.$t.$f/255.255.255.255 2>&1 > /dev/null
> # f=$((f+1))
> done
> cp ssl_multicert.config /etc/trafficserver/ssl_multicert.config
>
> ____________________________________________
>
> Kris Lindgren
> Senior Linux Systems Engineer
> GoDaddy, LLC.
> (480) 505-8800 X7111
> Email: [email protected]
>
>
> This email message and any attachment(s) hereto are intended for use only by
> its intended recipient(s) and may contain confidential information. If you
> have received this email in error, please immediately notify the sender and
> permanently delete the original and any copy of this message and its
> attachments.
>
