Mailing List Archive

using varnish4 for HTTPS wordpress site
Hi

I was using varnish-cahe (open source) for my wordpress website, it was
running well when its on HTTP only, but when i turn it to HTTPS its giving
me error message when testing status using plugin in wordpress i.e. *Varnish
HTTP Purge*
Error: This request cannot be performed: cURL error 60: Issuer certificate
is invalid.

please check the screenshot also.
[image: Inline image 1]

Currently the flow is like this:
client--> HTTPS request--> AWS load balancer --> Varnish--> apache2.

we are using self-signed certs for backend authentication settings in
AWS-load balancer, and using AMAZON provided CA-certs (using certificate
manager)

Note: Is this possible in varnish-cache software (open-Source) or else we
have to buy varnish-cache plus software (Paid Version). or we have to busy
CA-certs for that domain. ?

kindly guide us.


Thanks and Regards

Navneet Kashyap
Sr. System Administrator - Webner Solutions Pvt. Ltd.
Web - www.webnersolutions.com <http://www.webners.com/>
[image: Zoho Development, Salesforce Development, Web and Mobile App
Development] <http://www.webnersolutions.com>
Re: using varnish4 for HTTPS wordpress site [ In reply to ]
Hi,
this is totally unrelated to varnish. If you want to achieve purging, you
can safely stay http and purge locally (if you are using a load balancer in
front of your delivery, you either have just one varnish - hence purge
locally - or your purges are inconsistently distributed among all your
caches).

Bye

On Fri, 3 Nov 2017 at 08:31 Navneet Kashyap <navneet.kashyap@webners.com>
wrote:

> Hi
>
> I was using varnish-cahe (open source) for my wordpress website, it was
> running well when its on HTTP only, but when i turn it to HTTPS its giving
> me error message when testing status using plugin in wordpress i.e. *Varnish
> HTTP Purge*
> Error: This request cannot be performed: cURL error 60: Issuer certificate
> is invalid.
>
> please check the screenshot also.
> [image: Inline image 1]
>
> Currently the flow is like this:
> client--> HTTPS request--> AWS load balancer --> Varnish--> apache2.
>
> we are using self-signed certs for backend authentication settings in
> AWS-load balancer, and using AMAZON provided CA-certs (using certificate
> manager)
>
> Note: Is this possible in varnish-cache software (open-Source) or else we
> have to buy varnish-cache plus software (Paid Version). or we have to busy
> CA-certs for that domain. ?
>
> kindly guide us.
>
>
> Thanks and Regards
>
> Navneet Kashyap
> Sr. System Administrator - Webner Solutions Pvt. Ltd.
> Web - www.webnersolutions.com <http://www.webners.com/>
> [.image: Zoho Development, Salesforce Development, Web and Mobile App
> Development] <http://www.webnersolutions.com>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: using varnish4 for HTTPS wordpress site [ In reply to ]
To answer the HTTPS question, client-side HTTPS is easily done using hitch (
hitch-tls.org), for the backend-side, you would need Varnish Plus.

But you are saying Amazon provides the certificates, so my guess is that
the LB does the termination arrive unencrypted to Varnish.

Do the curl error, does the host used matches the certificate?

--
Guillaume Quintard

On Fri, Nov 3, 2017 at 9:18 AM, Luca Gervasi <luca.gervasi@gmail.com> wrote:

> Hi,
> this is totally unrelated to varnish. If you want to achieve purging, you
> can safely stay http and purge locally (if you are using a load balancer in
> front of your delivery, you either have just one varnish - hence purge
> locally - or your purges are inconsistently distributed among all your
> caches).
>
> Bye
>
> On Fri, 3 Nov 2017 at 08:31 Navneet Kashyap <navneet.kashyap@webners.com>
> wrote:
>
>> Hi
>>
>> I was using varnish-cahe (open source) for my wordpress website, it was
>> running well when its on HTTP only, but when i turn it to HTTPS its giving
>> me error message when testing status using plugin in wordpress i.e. *Varnish
>> HTTP Purge*
>> Error: This request cannot be performed: cURL error 60: Issuer
>> certificate is invalid.
>>
>> please check the screenshot also.
>> [image: Inline image 1]
>>
>> Currently the flow is like this:
>> client--> HTTPS request--> AWS load balancer --> Varnish--> apache2.
>>
>> we are using self-signed certs for backend authentication settings in
>> AWS-load balancer, and using AMAZON provided CA-certs (using certificate
>> manager)
>>
>> Note: Is this possible in varnish-cache software (open-Source) or else we
>> have to buy varnish-cache plus software (Paid Version). or we have to busy
>> CA-certs for that domain. ?
>>
>> kindly guide us.
>>
>>
>> Thanks and Regards
>>
>> Navneet Kashyap
>> Sr. System Administrator - Webner Solutions Pvt. Ltd.
>> Web - www.webnersolutions.com <http://www.webners.com/>
>> [.image: Zoho Development, Salesforce Development, Web and Mobile App
>> Development] <http://www.webnersolutions.com>
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc@varnish-cache.org
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
Re: using varnish4 for HTTPS wordpress site [ In reply to ]
Hi,

I had a similar issue using the wordpress-varnish plugin and our large multi-site install. I had to completely re-write the code to use curl as opposed to fsockopen, but for the certificate issue I used the curl option to ignore certificate errors. You may be able to simply add a line to the plugin code. We were able to do this since we had security in place that wouldn’t allow BAN from any other systems.

Jason

> On Nov 3, 2017, at 4:28 AM, Guillaume Quintard <guillaume@varnish-software.com> wrote:
>
> To answer the HTTPS question, client-side HTTPS is easily done using hitch (hitch-tls.org <http://hitch-tls.org/>), for the backend-side, you would need Varnish Plus.
>
> But you are saying Amazon provides the certificates, so my guess is that the LB does the termination arrive unencrypted to Varnish.
>
> Do the curl error, does the host used matches the certificate?
>
> --
> Guillaume Quintard
>
> On Fri, Nov 3, 2017 at 9:18 AM, Luca Gervasi <luca.gervasi@gmail.com <mailto:luca.gervasi@gmail.com>> wrote:
> Hi,
> this is totally unrelated to varnish. If you want to achieve purging, you can safely stay http and purge locally (if you are using a load balancer in front of your delivery, you either have just one varnish - hence purge locally - or your purges are inconsistently distributed among all your caches).
>
> Bye
>
> On Fri, 3 Nov 2017 at 08:31 Navneet Kashyap <navneet.kashyap@webners.com <mailto:navneet.kashyap@webners.com>> wrote:
> Hi
>
> I was using varnish-cahe (open source) for my wordpress website, it was running well when its on HTTP only, but when i turn it to HTTPS its giving me error message when testing status using plugin in wordpress i.e.
> Varnish HTTP Purge
> Error: This request cannot be performed: cURL error 60: Issuer certificate is invalid.
>
> please check the screenshot also.
> <image.png>
>
> Currently the flow is like this:
> client--> HTTPS request--> AWS load balancer --> Varnish--> apache2.
>
> we are using self-signed certs for backend authentication settings in AWS-load balancer, and using AMAZON provided CA-certs (using certificate manager)
>
> Note: Is this possible in varnish-cache software (open-Source) or else we have to buy varnish-cache plus software (Paid Version). or we have to busy CA-certs for that domain. ?
>
> kindly guide us.
>
>
> Thanks and Regards
>
> Navneet Kashyap
> Sr. System Administrator - Webner Solutions Pvt. Ltd.
> Web - www.webnersolutions.com <http://www.webners.com/>
> <http://www.webnersolutions.com/>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org <mailto:varnish-misc@varnish-cache.org>
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org <mailto:varnish-misc@varnish-cache.org>
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc