Using Railgun with Origin CA Certificates
While using Railgun and configuring Origin CA certificates, you will need additional steps to avoid service impact for HTTPS requests being sent from the listener to the site’s origin (where the origin CA certificates are installed). This happens because the default trust store shipped with the Railgun Listener is an identical copy of the root certificates that it trusts (identical to what NSS/Mozilla trusts).
This means that when enabling Full SSL (Strict) in the dashboard while Railgun is enabled, the listener will no longer consider the origin presenting the Origin CA certificate as trustworthy, resulting in a
Here is an example of the error generated when
validate.cert = 1, the origin uses an Origin CA leaf, and the Origin CA roots are not in the trust store for Railgun specified by
rg-listener: [2a074d8b36f00000-ATL] www.example.com origin request failed 220.127.116.11:443 to %!!(MISSING)s(MISSING): x509: certificate signed by unknown authority
Here are the following options available to avoid these errors:
validate.cert = 0in the
- Add to the trust store specified in the
ca.bundleparameter in the
railgun.conf. This can be done by simply adding these root certificates at the end of the file using a text editor.
railgun.conf defines the listener’s trust store as
ca.bundle = /etc/ssl/railgun-ca-certs.crt (for Debian/Ubuntu).