[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia sodhia.rohit at gmail.com
Mon Sep 11 20:18:39 UTC 2017 

Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
I'll have to learn how to compile it myself; never compiled a package
before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri <yvoinov at gmail.com> wrote:

> Hardly,
>
> most probably something in repo's package. However, upgrade is always
> recommended, especially with modern functionality. It changes fast enough.
>
> 12.09.2017 2:15, Rohit Sodhia пишет:
>
> Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
> problem?
>
> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <yvoinov at gmail.com> wrote:
>
>> Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
>> closed or closed.
>>
>> At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
>> running.
>>
>> Repositories software sometimes has strange quirks, or sometimes rancid.
>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>
>> I'll try to find it, but I read a few articles/SO questions that
>> suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
>> I'd be glad to go forward. Should I be removing the yum squid package and
>> compile my own? Is 3.5 problematic besides being old?
>>
>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoinov at gmail.com> wrote:
>>
>>> Wait. Squid 3.5.20? So ancient?
>>>
>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>> I used the line from the Stack Overflow question I linked earlier.
>>>
>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <yvoinov at gmail.com> wrote:
>>>
>>>> Well. Let's check more deep.
>>>>
>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>
>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>
>>>> Unfortunately, no luck yet. Thank you again for your help before.
>>>>
>>>> I found that the user squid and group squid existed already, so I added
>>>>
>>>> cache_effective_user squid
>>>> cache_effective_group squid
>>>>
>>>> to my config (first two lines), made sure /var/lib/ssl_db and it's
>>>> contents were set to squid:squid and restarted the service, but I'm still
>>>> getting the same error :(
>>>>
>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <sodhia.rohit at gmail.com>
>>>> wrote:
>>>>
>>>>> I'll try that immediately, thanks! I appreciate all your advice;
>>>>> hopefully I won't have to reach out again :p
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>
>>>>>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>>>>>> probably it runs as nobody user.
>>>>>>
>>>>>> Ah, yes:
>>>>>>
>>>>>> #  TAG: cache_effective_user
>>>>>> #    If you start Squid as root, it will change its effective/real
>>>>>> #    UID/GID to the user specified below.  The default is to change
>>>>>> #    to UID of nobody.
>>>>>> #    see also; cache_effective_group
>>>>>> #Default:
>>>>>> # cache_effective_user nobody
>>>>>>
>>>>>> #  TAG: cache_effective_group
>>>>>> #    Squid sets the GID to the effective user's default group ID
>>>>>> #    (taken from the password file) and supplementary group list
>>>>>> #    from the groups membership.
>>>>>> #
>>>>>> #    If you want Squid to run with a specific GID regardless of
>>>>>> #    the group memberships of the effective user then set this
>>>>>> #    to the group (or GID) you want Squid to run as. When set
>>>>>> #    all other group privileges of the effective user are ignored
>>>>>> #    and only this GID is effective. If Squid is not started as
>>>>>> #    root the user starting Squid MUST be member of the specified
>>>>>> #    group.
>>>>>> #
>>>>>> #    This option is not recommended by the Squid Team.
>>>>>> #    Our preference is for administrators to configure a secure
>>>>>> #    user account for squid with UID/GID matching system policies.
>>>>>> #Default:
>>>>>> # Use system group memberships of the cache_effective_user account
>>>>>>
>>>>>> As documented. :)
>>>>>>
>>>>>> AFAIK best solution is create non-privileged group & user (like
>>>>>> squid/squid) and set both this parameters explicity.
>>>>>>
>>>>>> Then change owner recursively on SSL cache to this user.
>>>>>>
>>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>>
>>>>>> Neither of those values are set in my config. Even though I'm not
>>>>>> using squid for caching, I need those values? They aren't set in the
>>>>>> default configs either.
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>>
>>>>>>> Most probably you squid runs as another user than squid.
>>>>>>>
>>>>>>> Check your squid.conf for cache_effective_user and
>>>>>>> cache_effective_group values.
>>>>>>>
>>>>>>> Then change SSL cache permissions to this values. Should work.
>>>>>>>
>>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>>
>>>>>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
>>>>>>> set it up like that. I changed the owner and group to squid:squid and tried
>>>>>>> restarting squid, but still get the same errors. I thought to run the
>>>>>>> command again, but this time it says
>>>>>>>
>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>>>>>
>>>>>>> If this folder has incorrect permissions are there possibly other
>>>>>>> permission issues?
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>>>
>>>>>>>> Here you root of problem.
>>>>>>>>
>>>>>>>> Should be (on my setups):
>>>>>>>>
>>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>>> total 326
>>>>>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>>>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>>>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>>>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>>>>>
>>>>>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>>>>>
>>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>>
>>>>>>>> total 8
>>>>>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>>>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>>>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Show output of
>>>>>>>>>
>>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>>
>>>>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>>>>
>>>>>>>>> Yes, but telling me it's crashing unfortunately doesn't help me
>>>>>>>>> figure out why or how to fix it. I've run the command it suggests but it
>>>>>>>>> doesn't help. I'm unfortunately not an ops guy familiar with this kind of
>>>>>>>>> stuff; I don't see anything on how to figure out what to do about it.
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> It tells you what's happens.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>>>>>> > (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>>>>>> > /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> squid-users mailing list
>>>>>>>>>> squid-users at lists.squid-cache.org
>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/2c3ab1ef/attachment-0001.html>

More information about the squid-users mailing list