[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri yvoinov at gmail.com
Mon Sep 11 20:07:44 UTC 2017


Seems latest 4.0.21 is good enough. Most critical SSL-related bugs
almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:
> I'll try to find it, but I read a few articles/SO questions that
> suggested there were bugs in 4 relating to SSL bumping? If they were
> wrong, I'd be glad to go forward. Should I be removing the yum squid
> package and compile my own? Is 3.5 problematic besides being old?
>
> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com>> wrote:
>
>     Wait. Squid 3.5.20? So ancient?
>
>
>     12.09.2017 1:58, Rohit Sodhia пишет:
>>     sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>
>>     I used the line from the Stack Overflow question I linked earlier.
>>
>>     On Mon, Sep 11, 2017 at 3:41 PM, Yuri <yvoinov at gmail.com
>>     <mailto:yvoinov at gmail.com>> wrote:
>>
>>         Well. Let's check more deep.
>>
>>         Show me parameter sslcrtd_program in your squid.conf
>>
>>
>>         12.09.2017 1:23, Rohit Sodhia пишет:
>>>         Unfortunately, no luck yet. Thank you again for your help
>>>         before.
>>>
>>>         I found that the user squid and group squid existed already,
>>>         so I added
>>>
>>>         cache_effective_user squid
>>>         cache_effective_group squid
>>>
>>>         to my config (first two lines), made sure /var/lib/ssl_db
>>>         and it's contents were set to squid:squid and restarted the
>>>         service, but I'm still getting the same error :(
>>>
>>>         On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
>>>         <sodhia.rohit at gmail.com <mailto:sodhia.rohit at gmail.com>> wrote:
>>>
>>>             I'll try that immediately, thanks! I appreciate all your
>>>             advice; hopefully I won't have to reach out again :p
>>>
>>>             On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoinov at gmail.com
>>>             <mailto:yvoinov at gmail.com>> wrote:
>>>
>>>                 I'm not Linux fanboy, but modern squid never runs as
>>>                 root. So, most probably it runs as nobody user.
>>>
>>>                 Ah, yes:
>>>
>>>                 #  TAG: cache_effective_user
>>>                 #    If you start Squid as root, it will change its
>>>                 effective/real
>>>                 #    UID/GID to the user specified below.  The
>>>                 default is to change
>>>                 #    to UID of nobody.
>>>                 #    see also; cache_effective_group
>>>                 #Default:
>>>                 # cache_effective_user nobody
>>>
>>>                 #  TAG: cache_effective_group
>>>                 #    Squid sets the GID to the effective user's
>>>                 default group ID
>>>                 #    (taken from the password file) and
>>>                 supplementary group list
>>>                 #    from the groups membership.
>>>                 #
>>>                 #    If you want Squid to run with a specific GID
>>>                 regardless of
>>>                 #    the group memberships of the effective user
>>>                 then set this
>>>                 #    to the group (or GID) you want Squid to run as.
>>>                 When set
>>>                 #    all other group privileges of the effective
>>>                 user are ignored
>>>                 #    and only this GID is effective. If Squid is not
>>>                 started as
>>>                 #    root the user starting Squid MUST be member of
>>>                 the specified
>>>                 #    group.
>>>                 #
>>>                 #    This option is not recommended by the Squid Team.
>>>                 #    Our preference is for administrators to
>>>                 configure a secure
>>>                 #    user account for squid with UID/GID matching
>>>                 system policies.
>>>                 #Default:
>>>                 # Use system group memberships of the
>>>                 cache_effective_user account
>>>
>>>                 As documented. :)
>>>
>>>                 AFAIK best solution is create non-privileged group &
>>>                 user (like squid/squid) and set both this parameters
>>>                 explicity.
>>>
>>>                 Then change owner recursively on SSL cache to this user.
>>>
>>>
>>>                 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>                 Neither of those values are set in my config. Even
>>>>                 though I'm not using squid for caching, I need
>>>>                 those values? They aren't set in the default
>>>>                 configs either.
>>>>
>>>>                 On Mon, Sep 11, 2017 at 2:33 PM, Yuri
>>>>                 <yvoinov at gmail.com <mailto:yvoinov at gmail.com>> wrote:
>>>>
>>>>                     Most probably you squid runs as another user
>>>>                     than squid.
>>>>
>>>>                     Check your squid.conf for cache_effective_user
>>>>                     and cache_effective_group values.
>>>>
>>>>                     Then change SSL cache permissions to this
>>>>                     values. Should work.
>>>>
>>>>
>>>>                     12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>                     Thanks for the feedback! I just used yum (it's
>>>>>                     a CentOS 7 VB) and it set it up like that. I
>>>>>                     changed the owner and group to squid:squid and
>>>>>                     tried restarting squid, but still get the same
>>>>>                     errors. I thought to run the command again,
>>>>>                     but this time it says
>>>>>
>>>>>                     /usr/lib64/squid/ssl_crtd: Cannot create
>>>>>                     /var/lib/ssl_db
>>>>>
>>>>>                     If this folder has incorrect permissions are
>>>>>                     there possibly other permission issues?
>>>>>
>>>>>                     On Mon, Sep 11, 2017 at 2:25 PM, Yuri
>>>>>                     <yvoinov at gmail.com <mailto:yvoinov at gmail.com>>
>>>>>                     wrote:
>>>>>
>>>>>                         Here you root of problem.
>>>>>
>>>>>                         Should be (on my setups):
>>>>>
>>>>>                         # ls -al /var/lib/ssl_db
>>>>>                         total 326
>>>>>                         drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>                         drwxr-xr-x 8 root  other      8 Sep  5
>>>>>                         00:53 ..
>>>>>                         drwxr-xr-x 2 squid squid    454 Sep 11
>>>>>                         23:37 certs
>>>>>                         -rw-r--r-- 1 squid squid 280575 Sep 11
>>>>>                         23:37 index.txt
>>>>>                         -rw-r--r-- 1 squid squid      7 Sep 11
>>>>>                         23:37 size
>>>>>
>>>>>                         I.e. Squid has no access to SSL cache dir
>>>>>                         structures.
>>>>>
>>>>>
>>>>>                         12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>                         total 8
>>>>>>                         drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>                         drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>                         drwxr-xr-x.  2 root root    6 Sep 11
>>>>>>                         12:42 certs
>>>>>>                         -rw-r--r--.  1 root root    0 Sep 11
>>>>>>                         12:42 index.txt
>>>>>>                         -rw-r--r--.  1 root root    1 Sep 11
>>>>>>                         12:42 size
>>>>>>
>>>>>>
>>>>>>                         On Mon, Sep 11, 2017 at 2:22 PM, Yuri
>>>>>>                         <yvoinov at gmail.com
>>>>>>                         <mailto:yvoinov at gmail.com>> wrote:
>>>>>>
>>>>>>                             Show output of
>>>>>>
>>>>>>                             ls -al /var/lib/ssl_db
>>>>>>
>>>>>>
>>>>>>                             12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>                             Yes, but telling me it's crashing
>>>>>>>                             unfortunately doesn't help me figure
>>>>>>>                             out why or how to fix it. I've run
>>>>>>>                             the command it suggests but it
>>>>>>>                             doesn't help. I'm unfortunately not
>>>>>>>                             an ops guy familiar with this kind
>>>>>>>                             of stuff; I don't see anything on
>>>>>>>                             how to figure out what to do about it.
>>>>>>>
>>>>>>>                             On Mon, Sep 11, 2017 at 2:17 PM,
>>>>>>>                             Yuri <yvoinov at gmail.com
>>>>>>>                             <mailto:yvoinov at gmail.com>> wrote:
>>>>>>>
>>>>>>>                                 It tells you what's happens.
>>>>>>>
>>>>>>>
>>>>>>>                                 11.09.2017 23:50, Rohit Sodhia
>>>>>>>                                 пишет:
>>>>>>>                                 > (ssl_crtd): Uninitialized SSL
>>>>>>>                                 certificate database directory:
>>>>>>>                                 > /var/lib/ssl_db. To
>>>>>>>                                 initialize, run "ssl_crtd -c -s
>>>>>>>                                 /var/lib/ssl_db".
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                                 _______________________________________________
>>>>>>>                                 squid-users mailing list
>>>>>>>                                 squid-users at lists.squid-cache.org
>>>>>>>                                 <mailto:squid-users at lists.squid-cache.org>
>>>>>>>                                 http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>                                 <http://lists.squid-cache.org/listinfo/squid-users>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/869bc632/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/869bc632/attachment-0001.sig>


More information about the squid-users mailing list