[squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri yvoinov at gmail.com
Thu Sep 7 21:44:40 UTC 2017 

Hi, Raf. Just checking on two my servers - works like charm without any
movings :) I'm already have good intermediate CA's bundle :)


08.09.2017 3:42, Rafael Akchurin пишет:
> Hello LA, Yuri,
>
> The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented:
>
> ---
> Symantec Class 3 Secure Server CA - G4
> Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
> Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
> RSA 2048 bits (e 65537) / SHA256withRSA
> ---
>
> Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site.
>
> Our UI generates exactly the same config setting as you have tried:
> sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem
>
> So it must be working :)
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of L A Walsh
> Sent: Thursday, September 7, 2017 11:15 PM
> To: squid-users at squid-cache.org
> Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
>
> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL: 
> https://help.ea.com/
>
>     *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>     (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
>     /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>     Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains).  The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
>
> Looking for a clue... ;-)
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170908/f2590d02/attachment-0001.sig>

More information about the squid-users mailing list