[squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
Yuri Voinov
yvoinov at gmail.com
Fri Jan 23 20:10:38 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This issue not linux-specific, Mike.
As a minimum for me - I'm never use Linux. :)
24.01.2015 2:08, Mike пишет:
> For a Red Hat/CentOS based OS, selinux causes that.
>
> The fix I found in this case:
>
> Before the below “audit2allow” command will work, you will need to
install the needed tool for selinux:
>
> * yum -yinstall policycoreutils-python
> (which will also install a few other dependencies).
>
> To temporarily set selinux to permissive:
>
> * echo 0 >/selinux/enforce
>
> To re-enable after it is fixed:
> * echo 1 >/selinux/enforce
>
> Check the /var/log/audit/audit.log for the type=AVC relating to the
ssl_crtd entries (easy way is "grep AVC audit.log | less" ).
>
> To find out WHY it is happening in selinux, use this:
> grep ssl_crtd /var/log/audit/audit.log | audit2allow -w
>
>
> Start in /tmp/ folder since we will not need these files for long.
>
> * grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
ssl_crtdlocal > ssl_crtdlocal.te
> - outputs the suggested settings into the file ssl_crtdlocal.te, which
we will review below in “cat”
> * cat ssl_crtdlocal.te
> - to review the created file and show what will be donein selinux
> * grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
> - Note the capital M, this Makes the needed file, ready for selinux to
import, and then the next command below actually enables it.
> * semodule -i ssl_crtdlocal.pp
> - Used to enable the new policy in selinux
>
> As long as it is now working properly, can delete the *.te and *.pp
files created in the /tmp/ folder.
>
> Now all of this is mute if selinux is not used so there may likely be
other explanations, but this at least covers RedHat based OS's with
selinux. I documented all of this since our servers ran into the same
issue due to selinux, and this was how we resolved it.
>
>
> Mike
>
>
>
> On 1/22/2015 6:17 AM, HackXBack wrote:
>> hello,
>> every day i found this error and my cache stop
>>
>> then i remove the ssl database then restart squid
>>
>> next day the problem happen again ,
>> am using squid 3.4.11
>>
>> what may cause this problem ?
>>
>> thanks.
>>
>>
>>
>> --
>> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly-need-help-tp4669257.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUwqq9AAoJENNXIZxhPexGQMsIAMvP4+N59KAmo3qhtMIfUllI
hItHPDd2bhGXx5tR/71bJdt9wDJCMEUU4U/+ZJJBOkUd/TyO54RLTffvkW6DjV9z
itmu+mcPTpX5U/9vY1GUobipGWiqqWLMzAV4+nGYTIlWN84DIRcwWobTpL8W970Y
l+vazCDJfwKLaopIWcq+/DOVNuYfWIngsRtbZJWatxhNRFTO7BvGCxZ7Ee4gEK/t
T7ICTeTrg62gktdZWDB4CBzNTctLXcWX9KkXV4gmVHI2IJcx8+x5ztmPj64uhL1m
9OwwxlaKMFMiTmGNijsUe/+nawamHodgtVjaBaYAOzuMvTAv5w0RZ65qZnpsXpQ=
=wH+S
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list