[squid-users] No valid signing SSL certificate configured for HTTPS_port
Garri Djavadyan
garryd at comnet.uz
Sat Nov 5 17:09:59 UTC 2016
On 2016-11-05 21:24, Konrad Kaluszynski wrote:
> Hi All,
>
> My goal is to configure a reverse proxy for Outlook Anywhere clients
> using squid.
> http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
>
> This will replace existing TMG that my client is currently using.
>
> However, when I run squid I get an error "No valid signing SSL
> certificate configured for HTTPS_port".
>
> Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
> proxy but was getting connection errors when trying to use
> OutlookAnywhere.
>
> So now I have been testing Squid but cannot get past the certificate
> installation which was painless under Nginx.
>
> Configuration is based on an article below:
>
> https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/
>
> I have been trying for several days now without much success to
> configure SSL certificate on my squid server.
>
> Getting the " ...no valid signing certificate" every time.
>
> I found few posts saying that it was not possible to use SSL
> certificates signed by public CA and self-signed certs must be used.
>
> Can anyone confirm if this is a case?
>
> Logs and config files below.
>
> My domain name has been replaced with _contoso.com [1]_ for
> confidentiality sake.
>
> squid server- srv-_squid.contoso.com [2]_ / 3.3.3.201
>
> uname -a
> Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12
> UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> exchange server - exch.contoso.com [3] / 10.2.2.30
>
> SSL certificate:
>
> obtained from StartSSL for mail.contoso.com [4]
>
> SQUID.CONF
>
> #### START
>
> visible_hostname mail.contoso.com [4]
> redirect_rewrites_host_header off
> cache_mem 32 MB
> maximum_object_size_in_memory 128 KB
> #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
> "%{User-Agent}>h" %Ss:%Sh ###this causes an error
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> cache_store_log none
> cache_mgr nomail_address_given
> forwarded_for transparent
> ### ignore_expect_100 ## not available in version 3.5
> ssl_unclean_shutdown on
> ### The most important line
> ### "cert" should contain Exchange certificate and key
> ### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
> https_port mail.contoso.com:443 [5] accel
> cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem
> defaultsite=mail.contoso.com [4]
> key=/home/kk/ssl/cert-mail/mail.contoso.com.key
>
> cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
> originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
> connection-auth=on name=Exchange
>
> acl exch_url url_regex -i mail.contoso.com/owa [6]
> acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
> [7]
> acl exch_url url_regex -i mail.contoso.com/rpc [8]
>
> cache_peer_access Exchange allow exch_url
> cache_peer_access Exchange deny all
> never_direct allow exch_url
> http_access allow exch_url
> http_access deny all
> miss_access allow exch_url
> miss_access deny all
> deny_info https://mail.contoso.com/owa all
>
> ###END
>
> ERROR
>
> cache.log
> 2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
> 2016/11/05 08:52:13| Finished. Wrote 0 entries.
> 2016/11/05 08:52:13| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 3.3.3.201:443 [9]
> Squid Cache (Version 3.5.22): Terminated abnormally.
> CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
> Maximum Resident Size: 46624 KB
> Page faults with physical i/o: 0
>
> SQUID - compiled from sources
>
> squid -v
>
> Squid Cache: Version 3.5.22
> Service Name: squid
> configure options: '--prefix=/usr' '--localstatedir=/var'
> '--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
> '--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
> '--with-pidfile=/var/run/squid3.pid' '--enable-inline'
> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
> '--enable-follow-x-forwarded-for'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
> '--enable-ntlm-auth-helpers=smb_lm,'
> '--enable-digest-auth-helpers=ldap,password'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
> '--enable-ssl' '--enable-zph-qos' '--enable-wccpv2'
> '--disable-translation' '--with-logdir=/var/log/squid3'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--with-ssl' '--disable-ipv6'
> '--with-openssl' --enable-ltdl-convenience
>
> Appreciate any feedback
>
> Cheers
>
> Konrad
>
>
>
> Links:
> ------
> [1] http://contoso.com
> [2] http://squid.contoso.com
> [3] http://exch.contoso.com
> [4] http://mail.contoso.com
> [5] http://mail.contoso.com:443
> [6] http://mail.contoso.com/owa
> [7] http://mail.contoso.com/microsoft-server-activesync
> [8] http://mail.contoso.com/rpc
> [9] http://3.3.3.201:443
Hi,
Sorry, if my questions would appear naive, but:
1. Does your certificate signed by StartSSL CA
(/home/kk/ssl/cert-mail/mail.contoso.com.pem) corresponds to your
private key (/home/kk/ssl/cert-mail/mail.contoso.com.key)?
2. Does user 'proxy' (--with-default-user=proxy) have access rights to
keys?
Garri
More information about the squid-users
mailing list