also.. using curl(without the insecure option), can you poll the origin server directly without receiving a certificate error ?
On Sun, Mar 1, 2020 at 10:59 AM Jeremy Payne <jp557...@gmail.com> wrote: > > If ATS to origin cert validation is failing, then you may need to > disable server verify(that's if your company security policy allows). > > Couple different approaches.. > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html#override-verify-origin-server > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy > > > Or simply add the root cert to the ATS CA bundle file. > > > > On Sun, Mar 1, 2020 at 10:50 AM juergenp[core] <juerg...@core.at> wrote: > > > > Hello, > > > > > > i run ATS10 > > > > the origin server has a private ip with existing DNS entry pointing to > > that (i know unsafe -but it's a work-around - split-dns config is a bit > > confusing, because ats still does round robin on the dns-servers i > > entered in /etc/resolve.conf) > > > > the certificate i have installed is a wildcard-certificate. > > > > Both, ATS and the origin server, have that certificate installed. > > > > > > this is the error-message: > > > > [Mar 1 17:11:14.243] [ET_NET 8] WARNING: Core server certificate > > verification failed for (www.xxx.at). Action=Continue Error=unable to > > get local issuer certificate server=w40.xxx.at(10.19.0.40) depth=2 > > > > > > > > > > the remap.config looks like this: (i had to use the www-mappings because > > the redirect parameter is ignored - but thats a different issue) > > > > # redirect http://www.xxx.at/ http://xxx.at/ > > # redirect https://www.xxx.at/ https://xxx.at/ > > > > #i tried also: > > > > # redirect http://www.xxx.at/ http://w40.xxx.at/ > > # redirect https://www.xxx.at/ https://w40.xxx.at/ > > > > ------- > > > > map http://www.xxx.at/ http://w40.xxx.at/ > > ##reverse_map http://w40.xxx.at/ http://www.xxx.at/ > > > > map https://www.xxx.at/ https://w40.xxx.at/ > > #reverse_map https://w40.xxx.at/ https://www.xxx.at/ > > > > > > map http://xxx.at/ http://w40xxx.at/ > > reverse_map http://w40.xxx.at/ http://xxx.at/ > > map https://xxx.at/ https://w40.xxx.at/ > > reverse_map https://w40.xxx.at/ https://xxx.at/ > > ------------ > > > > > > ssl-multicert.config > > > > ------------------------ > > > > dest_ip=111.111.111.111 ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > > dest_ip=* ssl_cert_name=/opt/ts/etc/ssl/certs/xxx.pem > > ssl_key_name=/opt/ts/etc/ssl/keys/xxx.private.pem > > ssl_ca_name=/opt/ts/etc/ssl/certs/ca.pem > > ----------------------------------- > > > > > > > > > > splitdns.config > > > > ---- > > > > dest_domain=xxx.at named=10.19.0.9 def_domain="xxx.at" search_list="xxx.at" > > dest_domain=!xxx.at named=10.19.0.201 > > ----------- > > > > > > > >
