[squid-users] HSTS and MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA

[Erdosain9]

Hi to all.
I keep trying to achieve inspect https. I think I'm close to doing. This is
my current configuration relative to ssl-bump.

   -

   # Squid listen Port
   http_port 192.168.1.215:3128
   https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem

   #always_direct allow all
   ssl_bump server-first all
   #sslproxy_cert_error deny all
   #sslproxy_flags DONT_VERIFY_PEER

   sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
   sslcrtd_children 8 startup=1 idle=1

   -
-
- *Im having this error in firefox.*

*when try google.com <http://google.com>*
The owner of www.google.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible to add
an exception for this certificate.

*or yahoo.com <http://yahoo.com>*

https://search.yahoo.com/yhs/search?p=X.509+version+1+
certificates+are+deprecated&ei=UTF-8&hspart=mozilla&hsimp=yhs-005
 An X.509 version 1 certificate that is not a trust anchor was used to
issue the server's certificate. X.509 version 1 certificates are deprecated
and should not be used to sign other certificates.
HTTP Strict Transport Security: true
HTTP Public Key Pinning: false



*MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA*

When i create self-signed certificate, i do like this:

   -

   openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes *-x509
*-keyout myCA.pem  -out myCA.pem


so what can i change to avoid the problem???
Thanks to all!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160809/45ab4304/attachment-0001.html>