[squid-users] ssl proxy error: No valid signing SSL certificate configured for https_port [::]:3127
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 16 22:45:02 UTC 2015
On 17/02/2015 5:16 a.m., Alan Palmer wrote:
> Tried the two links provided, still no luck.
>
> details:
> squid -v
> Squid Cache: Version 3.4.11
> configure options: '--disable-strict-error-checking'
> '--disable-arch-native' '--enable-shared'
> '--datadir=/usr/local/share/squid'
> '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
> '--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
> '--enable-follow-x-forwarded-for' '--enable-forw-via-db'
> '--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
> '--enable-referer-log' '--enable-removal-policies=lru heap'
> '--enable-ssl' '--with-openssl' '--enable-storeio=aufs ufs diskd'
> '--with-default-user=_squid' '--with-filedescriptors=8192'
> '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid'
> '--with-pthreads' '--with-swapdir=/var/squid/cache'
> '--disable-pf-transparent' '--enable-ipfw-transparent'
> '--enable-external-acl-helpers=LDAP_group SQL_session file_userip
> time_quota session unix_group wbinfo_group LDAP_group
> eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
> '--mandir=/usr/local/man' '--infodir=/usr/local/info'
> '--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc'
> 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib'
> 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'
> '--enable-ssl-crtd' --enable-ltdl-convenience
>
> tail -10 squid.conf
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/server1.crt
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 16MB
> sslcrtd_children 10
> ssl_bump server-first all
>
> cert generation
> openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
> openssl rsa -passin pass:x -in server.pass.key -out server.key
> rm server.pass.key
> openssl req -new -key server.key -out server.csr
> openssl req -new -key server.key -out server.csr
> openssl x509 -req -days 730 -in server.csr -signkey server.key
> openssl x509 -req -days 730 -in server.csr -signkey server.key -out
> server.crt
> cat server.key server.crt > server1.crt
>
All of that process is what the "generate-host-certificates=on" does.
The server1.crt file contains the output bytes Squid will be sending
on-the-wire, not what the cert= input parameter needs.
> squid -z
> FATAL: No valid signing SSL certificate configured for https_port
> 0.0.0.0:3127
Which is correct.
The file "server1.crt" contains a server cert not a CA cert.
> Squid Cache (Version 3.4.11): Terminated abnormally.
> CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys
> Maximum Resident Size: 6752 KB
> Page faults with physical i/o: 0
>
> cert generation ala
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP (squid.conf
> changed to cert=/etc/squid/ssl_cert/myCA.pem)
>
That is a draft, and a bit outdated.
Use this instead:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout
> myCA.pem -out myCA.pem
>
> squid -z
> FATAL: No valid signing SSL certificate configured for https_port [::]:3127
> Squid Cache (Version 3.4.11): Terminated abnormally.
Notice how the port details have changed from IPv4-only to IPv6-only.
You are using a split-stack OS where each of the IPv4 and IPv6 ports
needs separate TLS/SSL context. You can set the same settings and load
the same cert file, just have to place the config separately in
squid.conf for now:
https_port 0.0.0.0:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/server1.crt
https_port [::]:3127 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=16MB \
cert=/etc/squid/ssl_cert/server1.crt
Amos
More information about the squid-users
mailing list