[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
yvoinov at gmail.com
Thu Sep 7 21:19:51 UTC 2017
08.09.2017 3:14, L A Walsh пишет:
> Got an error message from squid where I'm doing https-bumping:
> The following error was encountered while trying to retrieve the URL:
> *Failed to establish a secure connection to 22.214.171.124*
> The system returned:
> (71) Protocol error (TLS code:
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
> Googling found:
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains). The two certs looked like:
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> Added the certs to a file and that filename to my squid.conf on a line:
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
> restarted squid, but am still getting same error.
> Am I missing some obvious step?
# TAG: sslproxy_foreign_intermediate_certs
# Many origin servers fail to send their full server certificate
# chain for verification, assuming the client already has or can
# easily locate any missing intermediate certificates.
# Squid uses the certificates from the specified file to fill in
# these missing chains when trying to validate origin server
# certificate chains.
# The file is expected to contain zero or more PEM-encoded
# intermediate certificates. These certificates are not treated
# as trusted root certificates, and any self-signed certificate in
# this file will be ignored.
> Looking for a clue... ;-)
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the squid-users