[squid-users] How to know, which CA certificate is absent?

Thu Jan 15 11:10:06 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/01/2015 12:00 a.m., Yuri Voinov wrote:
> 
> Hi gents,
> 
> I have question.
> 
> Look:
> 
> 2015/01/15 16:48:50 kid1| clientNegotiateSSL: Error negotiating
> SSL connection on FD 209: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/01/15
> 16:50:50 kid1| clientNegotiateSSL: Error negotiating SSL connection
> on FD 216: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca (1/0) 2015/01/15 16:52:51 kid1| clientNegotiateSSL:
> Error negotiating SSL connection on FD 42: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/01/15
> 16:54:54 kid1| clientNegotiateSSL: Error negotiating SSL connection
> on FD 107: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca (1/0)
> 
> Question is: How to debug SSL bump to know, which intermediate 
> certificate is absent in capath to get and install it to avoid
> this annoying messages?

The message is generated by OpenSSL and is all we get given.

AFAIK a manual test using the openssl command line tool is needed to
find out more.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUt6AOAAoJELJo5wb/XPRjcAIH/15EyfBYzgVQMjDRo2tcopuK
fs/gxnizA0ZMgcZrbszbqJpnFyLgwX1FPpJRYcJNVDrEk5XTUee4bwPcMEj9UgzD
oHHt2yLWIBC3kXVFlCiA1U49PStkF6zfs9hkVG6FZ5FBCUJFwIBaUouSwOcK+P48
v92KeMjtdfw8PuVGXKTeZXWpJ4tW+68KRdSrqEkdKxoaMIn/JrzzPBD56ageE852
ekRLCp1Mpq1okEvjbQK9UubpT5mJ4o31WZ+ayEStDqosqe4EYj+w+uPRE8Pi/uGl
XdZTOlEBrWlQ0Lc1vKa7AWMcvB21GuZvIWeq+9sgKoNB+bKgzApmSDVWSKd3sZI=
=o8wN
-----END PGP SIGNATURE-----