[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Rafael Akchurin rafael.akchurin at diladele.com
Thu Sep 7 21:42:47 UTC 2017 

Hello LA, Yuri,

The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented:

---
Symantec Class 3 Secure Server CA - G4
Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
RSA 2048 bits (e 65537) / SHA256withRSA
---

Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site.

Our UI generates exactly the same config setting as you have tried:
sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem

So it must be working :)

Best regards,
Rafael Akchurin
Diladele B.V.



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of L A Walsh
Sent: Thursday, September 7, 2017 11:15 PM
To: squid-users at squid-cache.org
Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Got an error message from squid where I'm doing https-bumping:

--------------------------
The following error was encountered while trying to retrieve the URL: 
https://help.ea.com/

    *Failed to establish a secure connection to 52.0.220.87*

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known:
    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
    Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

--------------------------------

Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains).  The two certs looked like:

-----BEGIN CERTIFICATE-----
...hexstuff==
-----END CERTIFICATE-----


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list