[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
Yuri
yvoinov at gmail.com
Thu Sep 7 21:24:25 UTC 2017
Ooooops,
miss end of message :)
Check all CA's chain. It is possible your root CA's bundle not complete.
I usually use root CA's from Mozilla (added to squid.conf as one file)
and own self-supported intermediate CA's list (file).
But in addition I'm using Squid 5.x with working cert's downloader ;)
08.09.2017 3:14, L A Walsh пишет:
> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
> *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
> (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains). The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
>
> Looking for a clue... ;-)
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170908/5c840f6d/attachment.sig>
More information about the squid-users
mailing list