[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
Yuri
yvoinov at gmail.com
Thu Sep 7 21:26:27 UTC 2017
Also. Symantec's root's can be already removed from most bundles (you
should hear about it, is it?).
So. May be can be required to add Symantec's root(s) manually to proxy
root CA bundle.
08.09.2017 3:24, Yuri пишет:
> Ooooops,
>
> miss end of message :)
>
> Check all CA's chain. It is possible your root CA's bundle not complete.
>
> I usually use root CA's from Mozilla (added to squid.conf as one file)
> and own self-supported intermediate CA's list (file).
>
> But in addition I'm using Squid 5.x with working cert's downloader ;)
>
>
> 08.09.2017 3:14, L A Walsh пишет:
>> Got an error message from squid where I'm doing https-bumping:
>>
>> --------------------------
>> The following error was encountered while trying to retrieve the URL:
>> https://help.ea.com/
>>
>> *Failed to establish a secure connection to 52.0.220.87*
>>
>> The system returned:
>>
>> (71) Protocol error (TLS code:
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>
>> SSL Certficate error: certificate issuer (CA) not known:
>> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>> Class 3 Secure Server CA - G4
>>
>> This proxy and the remote host failed to negotiate a mutually
>> acceptable security settings for handling your request. It is possible
>> that the remote host does not support secure connections, or the proxy
>> is not satisfied with the host security credentials.
>>
>> --------------------------------
>>
>> Googling found:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>>
>>
>> Used openssl.com to get the intermediate certs (2 hosts are referenced
>> in parallel chains). The two certs looked like:
>>
>> -----BEGIN CERTIFICATE-----
>> ...hexstuff==
>> -----END CERTIFICATE-----
>>
>>
>> Added the certs to a file and that filename to my squid.conf on a line:
>>
>> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>>
>> restarted squid, but am still getting same error.
>>
>> Am I missing some obvious step?
>>
>> Looking for a clue... ;-)
>>
>> Thanks!
>> -l
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170908/3e08c025/attachment.sig>
More information about the squid-users
mailing list