[squid-users] ssl_crtd initialization SSL db error

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 15 01:47:20 UTC 2015

On 15/10/2015 9:51 a.m., Ian Silvester wrote:
> Hi all,
> I'm following the instructions on this page
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> to set up Squid as an end-point for HTTPS communications, and am hitting
> an error when attempting to create and initialize an SSL certificates
> cache directory.
> Having taken care to ensure that my chosen directory exists
> (/usr/local/var/cache/squid/ssl_db) and has the same ownership as the
> user which I'm using to execute ssl_crtd, I execute the following
> command from within squid's libexec directory:
> ./ssl_crtd -c -s /usr/local/var/cache/squid/ssl_db
> This gives the following output:
> Initialization SSL db...
> ./ssl_crtd: Cannot create /usr/local/var/cache/squid/ssl_db
> All the mailing list searching I've done suggests that this is a
> permissions issue, but the folder is owned by me, has permissions 755,
> and I'm running ssl_crtd.
> For what it's worth, I'm running v3.5.7 on OS X (via Homebrew) which was
> built with --enable-ssl --enable-ssl-crtd --disable-eui

--enable-ssl does not exist in Squid-3.5. Use --with-openssl instead.

Please also try to get the very latest 3.5 release when dealing with
ssl-bump, the features are quite volatile still.

Currently that is 3.5.10 for stable production use or 4.0.1 (beta) if it
works for your needs.

> Can anyone suggest what my issue might be? Does ssl_crtd internally run
> as an alternate user? I don't appear to have any user accounts dedicated
> to Squid.

That does not matter until after the DB has been created. In order to
make sure the DB is useable by the Squid initiated helpers.

You should be able to run the above creation command with any account
having ownership of the directory - but not use the resulting DB with Squid.

Sadly that helper has quiet bad debugging output still. So you won't get
much better output from newer Squid releases, just better behaviour.

The following is how to determin your squid low-privilege account name:

* Run "squid -k parse 2>&1 | grep cache_effective_user" to see if
squid.conf has been configured to override the built-in account with
something specific to your install,

* if nothing is found; Run "squid -v" to see if the --with-default-user
build option has been set to any particular account name,

* Otherwise; the default is account "nobody".


More information about the squid-users mailing list