[squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Mike mcsnv96 at afo.net
Fri Jan 23 20:08:23 UTC 2015 

For a Red Hat/CentOS based OS, selinux causes that.

The fix I found in this case:

Before the below “audit2allow” command will work, you will need to 
install the needed tool for selinux:

* yum -yinstall policycoreutils-python
(which will also install a few other dependencies).

To temporarily set selinux to permissive:

* echo 0 >/selinux/enforce

To re-enable after it is fixed:
* echo 1 >/selinux/enforce

Check the /var/log/audit/audit.log for the type=AVC relating to the 
ssl_crtd entries (easy way is "grep AVC audit.log | less" ).

To find out WHY it is happening in selinux, use this:
grep ssl_crtd /var/log/audit/audit.log | audit2allow -w


Start in /tmp/ folder since we will not need these files for long.

* grep ssl_crtd /var/log/audit/audit.log | audit2allow -m ssl_crtdlocal 
 > ssl_crtdlocal.te
- outputs the suggested settings into the file ssl_crtdlocal.te, which 
we will review below in “cat”
* cat ssl_crtdlocal.te
- to review the created file and show what will be donein selinux
* grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
- Note the capital M, this Makes the needed file, ready for selinux to 
import, and then the next command below actually enables it.
* semodule -i ssl_crtdlocal.pp
- Used to enable the new policy in selinux

As long as it is now working properly, can delete the *.te and *.pp 
files created in the /tmp/ folder.

Now all of this is mute if selinux is not used so there may likely be 
other explanations, but this at least covers RedHat based OS's with 
selinux. I documented all of this since our servers ran into the same 
issue due to selinux, and this was how we resolved it.


Mike



On 1/22/2015 6:17 AM, HackXBack wrote:
> hello,
> every day i found this error and my cache stop
>
> then i remove the ssl database then restart squid
>
> next day the problem happen again ,
> am using squid 3.4.11
>
> what may cause this problem ?
>
> thanks.
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly-need-help-tp4669257.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list