If ATS to origin cert validation is failing, then you may need to disable server verify(that's if your company security policy allows).
Couple different approaches.. https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy Or simply add the root cert to the ATS CA bundle file. On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <juerg...@core.at> wrote: > > Hello, > > > i run ATS10 > > the origin server has a private ip with existing DNS entry pointing to > that (i know unsafe -but it's a work-around - split-dns config is a bit > confusing, because ats still does round robin on the dns-servers i > entered in /etc/resolve.conf) > > the certificate i have installed is a wildcard-certificate. > > Both, ATS and the origin server, have that certificate installed. > > > this is the error-message: > > [Mar 1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate > verification failed for (www.xxx.at). Action=Continue Error=unable to > get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2 > > > > > the remap.config looks like this: (i had to use the www-mappings because > the redirect parameter is ignored - but thats a different issue) > > # redirect http://www.xxx.at/ http://xxx.at/ > # redirect https://www.xxx.at/ https://xxx.at/ > > #i tried also: > > # redirect http://www.xxx.at/ http://w40.xxx.at/ > # redirect https://www.xxx.at/ https://w40.xxx.at/ > > ------- > > map http://www.xxx.at/ http://w40.xxx.at/ > ##reverse_map http://w40.xxx.at/ http://www.xxx.at/ > > map https://www.xxx.at/ https://w40.xxx.at/ > #reverse_map https://w40.xxx.at/ https://www.xxx.at/ > > > map http://xxx.at/ http://w40xxx.at/ > reverse_map http://w40.xxx.at/ http://xxx.at/ > map https://xxx.at/ https://w40.xxx.at/ > reverse_map https://w40.xxx.at/ https://xxx.at/ > ------------ > > > ssl-multicert.config > > ------------------------ > > dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > ----------------------------------- > > > > > splitdns.config > > ---- > > dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" search_list="xxx.at" > dest_domain=!xxx.at named=10.19.0.201 > ----------- > > > >
