[squid-users] Cert authority invalid failures.

Markey, Bruce bmarkey at steinmancommunications.com
Wed Apr 20 20:18:27 UTC 2016

I'm curious as to why this is happening.

Proxy was implemented last week and since then I've been dealing with all the sites that don't work. Not a problem, knew it was going to happen. I'd like to understand why the following is happening.

1.       User goes to https://www.whatever.com

2.       Browser, mostly chrome, gives the following error.   Connection not private. NET:ERR_CERT_AUTHORITY_INVALID

3.       If you view the cert it shows the dynamic cert listed.

4.       Click the "Proceed to www.whatever.com<http://www.whatever.com> (unsafe )

5.       Now I get a squid error.  Requested url could not be retrieved.  Access denied while trying to retrieve https:// some ip address/*

Thing is I don't have an acl blocking that ip?   ( Small sub question here, is there a way to tell which acl blocks something? )

What I've had to do to get around this is add www.whatever.com<http://www.whatever.com> to my broken_sites.acl.    Then add the ip to an allowed_ips.acl.

Then I http_access allow the ips list

And skip peeking at the broken site.

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"
ssl_bump peek !broken_sites
ssl_bump splice all

I'm trying to understand why this is breaking and if I'm doing the right thing in fixing it.

The second error I'm getting is:

The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*<https://%2A.agentimediaservices.com/*>

Failed to establish a secure connection to

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
Same question.  From what I've read this means that I don't have the correct root ca?  Is that correct?  If so is the fix to then go try to find the correct .crt and add it to the standard ca-cert store? ( I'm on debian so /usr/share/ca-certificates/Mozilla )

Again, is this correct as to what is going wrong and the correct fix?

Thank you

Bruce Markey | Network Security Analyst
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160420/5a8c744b/attachment-0001.html>

More information about the squid-users mailing list