[squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Eliezer Croitoru eliezer at ngtech.co.il
Fri Mar 3 00:32:14 UTC 2017 

Hey Yuri,

This issue is not 100% squid but I think it's related to the way ssl_crtd works.
I am not sure if it has some locking or other things to prevent such issues.
The first solution is to somehow defend the DB from corruption, like in a case that more then a dozen identical requests are being done towards a single site and two ssl_crtd helpers are trying to do the same things.
I believe that something to fence this should already be inside squid and ssl_crtd but I am pretty sure this is the main issue.

Alex and his team should know the answer for this subject and if I'm not wrong theoretically there are couple ways to prevent the mentioned issues.
I had a plan to try and understand the ssl_crtd code and interface but yet to do so.

I hope this issue will be resolved in a way that it can be backported to 3.5 in the worst case.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Yuri Voinov
Sent: Thursday, March 2, 2017 11:46 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

This problem, in principle, is common to all versions of ssl-bumped Squid from version 3.4 and 5.0, inclusive, and occurs when the stored certificate is damaged for any reason. The only thing vorkeraund that I could find - a monitor kesh.log and initialize the certificate database again with squid restart automatically.
In some installations, this problem does not occur over the years. In other - almost daily. I have no desire to find out why this is happening exactly. For me it was easier to make the watchdog, which will follow up on this.
03.03.2017 3:40, Yuri Voinov пишет:
One hint finally:
'([^ ]*) helper database ([^ ]*) failed: The SSL certificate database ([^ ]*) is corrupted. Please rebuild' - - - 0    exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
'FATAL: ([^ ]*) helpers are crashing too rapidly, need help!' - - - 0    exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
'Cannot add certificate to db.' - - - 0        exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
PS. This is from logsurfer.conf.

03.03.2017 3:34, Yuri Voinov пишет:
This error is usually preceded by another error in cache.log associated with the certificates.
I will show you the direction. Then go himself.
This software will useful for you to solve:
http://www.crypt.gen.nz/logsurfer/
HTH, Yuri

03.03.2017 2:47, --Ahmad-- пишет:
hey folks . 
i have a problem with squid it get crashed after i enabled https !
cache log error => FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

i googled many topics and relevant pages and couldnt find a clear solution .

the quick solution i made was i  removed the certs in file :
rm -rfv /var/lib/ssl_db/


then reinitiated the DB using cmd below :
/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db


the restarted squid .


but this is not a solution becuase squid get crashed again after certain time and i don’t know why !
my version is 3.5.2


here is squid.conf :
 /etc/squid/squid.conf
visible_hostname pcloud
acl ip1 myip 10.1.0.1
acl ip2 myip 192.168.10.210
tcp_outgoing_address 192.168.10.210 ip1
tcp_outgoing_address 192.168.10.210 ip2
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access allow  CONNECT 
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
#coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
#

http_port 3126
#http_port 3128
#######################################
#cache_swap_low 90
#cache_swap_high 95
############################
cache_effective_user squid
cache_effective_group squid
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
########################
maximum_object_size 10000 MB
#cache_mem 5000 MB
maximum_object_size_in_memory 10 MB
#########################
logfile_rotate 2
max_filedescriptors 131072
###############################
############
cache_dir aufs /var/cache/squid 600000 64 128
#######################################
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myca.pem key=/usr/local/squid/ssl_cert/myca.pem
ssl_bump server-first all
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 1000 startup=1 idle=1
###
minimum_object_size 0 bytes
#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i .index.(html|htm)$ 0 40% 10080
refresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
















any Joy Guys ?


should i update squid ? or downgrade squid ?


kind regards 




_______________________________________________
squid-users mailing list
mailto:squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future

-- 
Bugs to the Future

-- 
Bugs to the Future

More information about the squid-users mailing list