[squid-users] Cert authority invalid failures.
bmarkey at steinmancommunications.com
Wed Apr 20 20:18:27 UTC 2016
I'm curious as to why this is happening.
Proxy was implemented last week and since then I've been dealing with all the sites that don't work. Not a problem, knew it was going to happen. I'd like to understand why the following is happening.
1. User goes to https://www.whatever.com
2. Browser, mostly chrome, gives the following error. Connection not private. NET:ERR_CERT_AUTHORITY_INVALID
3. If you view the cert it shows the dynamic cert listed.
4. Click the "Proceed to www.whatever.com<http://www.whatever.com> (unsafe )
5. Now I get a squid error. Requested url could not be retrieved. Access denied while trying to retrieve https:// some ip address/*
Thing is I don't have an acl blocking that ip? ( Small sub question here, is there a way to tell which acl blocks something? )
What I've had to do to get around this is add www.whatever.com<http://www.whatever.com> to my broken_sites.acl. Then add the ip to an allowed_ips.acl.
Then I http_access allow the ips list
And skip peeking at the broken site.
acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"
ssl_bump peek !broken_sites
ssl_bump splice all
I'm trying to understand why this is breaking and if I'm doing the right thing in fixing it.
The second error I'm getting is:
The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*<https://%2A.agentimediaservices.com/*>
Failed to establish a secure connection to 22.214.171.124
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
Same question. From what I've read this means that I don't have the correct root ca? Is that correct? If so is the fix to then go try to find the correct .crt and add it to the standard ca-cert store? ( I'm on debian so /usr/share/ca-certificates/Mozilla )
Again, is this correct as to what is going wrong and the correct fix?
Bruce Markey | Network Security Analyst
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users