[squid-users] ssl proxy error: No valid signing SSL certificate configured for https_port [::]:3127

Alan Palmer alanpalmer72 at yahoo.com
Mon Feb 16 16:16:21 UTC 2015 

Tried the two links provided, still no luck.

details:
squid -v
Squid Cache: Version 3.4.11
configure options:  '--disable-strict-error-checking' 
'--disable-arch-native' '--enable-shared' 
'--datadir=/usr/local/share/squid' 
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' 
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools' 
'--enable-follow-x-forwarded-for' '--enable-forw-via-db' 
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6' 
'--enable-referer-log' '--enable-removal-policies=lru heap' 
'--enable-ssl' '--with-openssl' '--enable-storeio=aufs ufs diskd' 
'--with-default-user=_squid' '--with-filedescriptors=8192' 
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' 
'--with-pthreads' '--with-swapdir=/var/squid/cache' 
'--disable-pf-transparent' '--enable-ipfw-transparent' 
'--enable-external-acl-helpers=LDAP_group SQL_session file_userip 
time_quota session  unix_group wbinfo_group LDAP_group 
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' 
'--mandir=/usr/local/man' '--infodir=/usr/local/info' 
'--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc' 
'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' 
'--enable-ssl-crtd' --enable-ltdl-convenience

tail -10 squid.conf
https_port 3127 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/server1.crt
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s 
/usr/local/squid/var/lib/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump server-first all

cert generation
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 730 -in server.csr -signkey server.key
openssl x509 -req -days 730 -in server.csr -signkey server.key -out 
server.crt
cat server.key server.crt > server1.crt

squid -z
FATAL: No valid signing SSL certificate configured for https_port 
0.0.0.0:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys
Maximum Resident Size: 6752 KB
Page faults with physical i/o: 0

cert generation ala 
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP (squid.conf 
changed to cert=/etc/squid/ssl_cert/myCA.pem)

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout 
myCA.pem -out myCA.pem

squid -z
FATAL: No valid signing SSL certificate configured for https_port [::]:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.010 user + 0.030 sys
Maximum Resident Size: 6288 KB
Page faults with physical i/o: 0

In Reply To:

Hey Alan,

What is the full output of "squid -v"?

I am unsure about the akadia tutorial.
Please take a look at:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP

It contains some hints on how to create the certificate and contains a 
snippet of squid configuration to make a basic ssl-bump work(the echo 
command code might not be right)

I am pretty sure the certificate you have created is not the right type 
for the task.

Eliezer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


In reply to:
















On 2/15/2015 4:49 PM, Eliezer Croitoru wrote:
> On 15/02/2015 23:36, Alan Palmer wrote:
>> I'm trying to get squid 3.4.11 on openbsd 5.6 to act as a transparent
>> ssl proxy.
>>
>> I've rebuilt squid with --enable-ssl-crtd, generated my own self signed
>> cert (ala http://www.akadia.com/services/ssh_test_certificate.html) and
>> have the following config lines:
>
> Hey Alan,
>
> What is the full output of "squid -v"?
>
> I am unsure about the akadia tutorial.
> Please take a look at:
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP
>
> It contains some hints on how to create the certificate and contains a 
> snippet of squid configuration to make a basic ssl-bump work(the echo 
> command code might not be right)
>
> I am pretty sure the certificate you have created is not the right 
> type for the task.
>
> Eliezer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list