[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly
Yuri
yvoinov at gmail.com
Mon Sep 11 20:19:50 UTC 2017
Everything happens once for the first time;)
12.09.2017 2:18, Rohit Sodhia пишет:
> Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so
> guess I'll have to learn how to compile it myself; never compiled a
> package before.
>
> On Mon, Sep 11, 2017 at 4:17 PM, Yuri <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com>> wrote:
>
> Hardly,
>
> most probably something in repo's package. However, upgrade is
> always recommended, especially with modern functionality. It
> changes fast enough.
>
> 12.09.2017 2:15, Rohit Sodhia пишет:
>> Ah. I'm on 3.5.20; not sure how far back that is. Is that the
>> core of the problem?
>>
>> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <yvoinov at gmail.com
>> <mailto:yvoinov at gmail.com>> wrote:
>>
>> Seems latest 4.0.21 is good enough. Most critical SSL-related
>> bugs almost closed or closed.
>>
>> At least latest 3.5.27 is released. AFAIK this is minimum to
>> problem-free running.
>>
>> Repositories software sometimes has strange quirks, or
>> sometimes rancid.
>>
>> 12.09.2017 2:05, Rohit Sodhia пишет:
>>
>>> I'll try to find it, but I read a few articles/SO questions
>>> that suggested there were bugs in 4 relating to SSL bumping?
>>> If they were wrong, I'd be glad to go forward. Should I be
>>> removing the yum squid package and compile my own? Is 3.5
>>> problematic besides being old?
>>>
>>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoinov at gmail.com
>>> <mailto:yvoinov at gmail.com>> wrote:
>>>
>>> Wait. Squid 3.5.20? So ancient?
>>>
>>>
>>> 12.09.2017 1:58, Rohit Sodhia пишет:
>>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s
>>>> /var/lib/ssl_db -M 4MB
>>>>
>>>> I used the line from the Stack Overflow question I
>>>> linked earlier.
>>>>
>>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri
>>>> <yvoinov at gmail.com <mailto:yvoinov at gmail.com>> wrote:
>>>>
>>>> Well. Let's check more deep.
>>>>
>>>> Show me parameter sslcrtd_program in your squid.conf
>>>>
>>>>
>>>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>>>> Unfortunately, no luck yet. Thank you again for
>>>>> your help before.
>>>>>
>>>>> I found that the user squid and group squid
>>>>> existed already, so I added
>>>>>
>>>>> cache_effective_user squid
>>>>> cache_effective_group squid
>>>>>
>>>>> to my config (first two lines), made sure
>>>>> /var/lib/ssl_db and it's contents were set to
>>>>> squid:squid and restarted the service, but I'm
>>>>> still getting the same error :(
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
>>>>> <sodhia.rohit at gmail.com
>>>>> <mailto:sodhia.rohit at gmail.com>> wrote:
>>>>>
>>>>> I'll try that immediately, thanks! I
>>>>> appreciate all your advice; hopefully I won't
>>>>> have to reach out again :p
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri
>>>>> <yvoinov at gmail.com <mailto:yvoinov at gmail.com>>
>>>>> wrote:
>>>>>
>>>>> I'm not Linux fanboy, but modern squid
>>>>> never runs as root. So, most probably it
>>>>> runs as nobody user.
>>>>>
>>>>> Ah, yes:
>>>>>
>>>>> # TAG: cache_effective_user
>>>>> # If you start Squid as root, it will
>>>>> change its effective/real
>>>>> # UID/GID to the user specified below.
>>>>> The default is to change
>>>>> # to UID of nobody.
>>>>> # see also; cache_effective_group
>>>>> #Default:
>>>>> # cache_effective_user nobody
>>>>>
>>>>> # TAG: cache_effective_group
>>>>> # Squid sets the GID to the effective
>>>>> user's default group ID
>>>>> # (taken from the password file) and
>>>>> supplementary group list
>>>>> # from the groups membership.
>>>>> #
>>>>> # If you want Squid to run with a
>>>>> specific GID regardless of
>>>>> # the group memberships of the
>>>>> effective user then set this
>>>>> # to the group (or GID) you want Squid
>>>>> to run as. When set
>>>>> # all other group privileges of the
>>>>> effective user are ignored
>>>>> # and only this GID is effective. If
>>>>> Squid is not started as
>>>>> # root the user starting Squid MUST be
>>>>> member of the specified
>>>>> # group.
>>>>> #
>>>>> # This option is not recommended by the
>>>>> Squid Team.
>>>>> # Our preference is for administrators
>>>>> to configure a secure
>>>>> # user account for squid with UID/GID
>>>>> matching system policies.
>>>>> #Default:
>>>>> # Use system group memberships of the
>>>>> cache_effective_user account
>>>>>
>>>>> As documented. :)
>>>>>
>>>>> AFAIK best solution is create
>>>>> non-privileged group & user (like
>>>>> squid/squid) and set both this parameters
>>>>> explicity.
>>>>>
>>>>> Then change owner recursively on SSL cache
>>>>> to this user.
>>>>>
>>>>>
>>>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>>>> Neither of those values are set in my
>>>>>> config. Even though I'm not using squid
>>>>>> for caching, I need those values? They
>>>>>> aren't set in the default configs either.
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri
>>>>>> <yvoinov at gmail.com
>>>>>> <mailto:yvoinov at gmail.com>> wrote:
>>>>>>
>>>>>> Most probably you squid runs as
>>>>>> another user than squid.
>>>>>>
>>>>>> Check your squid.conf for
>>>>>> cache_effective_user and
>>>>>> cache_effective_group values.
>>>>>>
>>>>>> Then change SSL cache permissions to
>>>>>> this values. Should work.
>>>>>>
>>>>>>
>>>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>>>> Thanks for the feedback! I just used
>>>>>>> yum (it's a CentOS 7 VB) and it set
>>>>>>> it up like that. I changed the owner
>>>>>>> and group to squid:squid and tried
>>>>>>> restarting squid, but still get the
>>>>>>> same errors. I thought to run the
>>>>>>> command again, but this time it says
>>>>>>>
>>>>>>> /usr/lib64/squid/ssl_crtd: Cannot
>>>>>>> create /var/lib/ssl_db
>>>>>>>
>>>>>>> If this folder has incorrect
>>>>>>> permissions are there possibly other
>>>>>>> permission issues?
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:25 PM,
>>>>>>> Yuri <yvoinov at gmail.com
>>>>>>> <mailto:yvoinov at gmail.com>> wrote:
>>>>>>>
>>>>>>> Here you root of problem.
>>>>>>>
>>>>>>> Should be (on my setups):
>>>>>>>
>>>>>>> # ls -al /var/lib/ssl_db
>>>>>>> total 326
>>>>>>> drwxr-xr-x 3 squid squid 5
>>>>>>> Sep 5 00:53 .
>>>>>>> drwxr-xr-x 8 root other 8
>>>>>>> Sep 5 00:53 ..
>>>>>>> drwxr-xr-x 2 squid squid 454
>>>>>>> Sep 11 23:37 certs
>>>>>>> -rw-r--r-- 1 squid squid 280575
>>>>>>> Sep 11 23:37 index.txt
>>>>>>> -rw-r--r-- 1 squid squid 7
>>>>>>> Sep 11 23:37 size
>>>>>>>
>>>>>>> I.e. Squid has no access to SSL
>>>>>>> cache dir structures.
>>>>>>>
>>>>>>>
>>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>>>> total 8
>>>>>>>> drwxr-xr-x. 3 root root 48
>>>>>>>> Sep 11 12:42 .
>>>>>>>> drwxr-xr-x. 32 root root 4096
>>>>>>>> Sep 11 12:42 ..
>>>>>>>> drwxr-xr-x. 2 root root 6
>>>>>>>> Sep 11 12:42 certs
>>>>>>>> -rw-r--r--. 1 root root 0
>>>>>>>> Sep 11 12:42 index.txt
>>>>>>>> -rw-r--r--. 1 root root 1
>>>>>>>> Sep 11 12:42 size
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Sep 11, 2017 at 2:22
>>>>>>>> PM, Yuri <yvoinov at gmail.com
>>>>>>>> <mailto:yvoinov at gmail.com>> wrote:
>>>>>>>>
>>>>>>>> Show output of
>>>>>>>>
>>>>>>>> ls -al /var/lib/ssl_db
>>>>>>>>
>>>>>>>>
>>>>>>>> 12.09.2017 0:21, Rohit
>>>>>>>> Sodhia пишет:
>>>>>>>>> Yes, but telling me it's
>>>>>>>>> crashing unfortunately
>>>>>>>>> doesn't help me figure out
>>>>>>>>> why or how to fix it. I've
>>>>>>>>> run the command it
>>>>>>>>> suggests but it doesn't
>>>>>>>>> help. I'm unfortunately
>>>>>>>>> not an ops guy familiar
>>>>>>>>> with this kind of stuff; I
>>>>>>>>> don't see anything on how
>>>>>>>>> to figure out what to do
>>>>>>>>> about it.
>>>>>>>>>
>>>>>>>>> On Mon, Sep 11, 2017 at
>>>>>>>>> 2:17 PM, Yuri
>>>>>>>>> <yvoinov at gmail.com
>>>>>>>>> <mailto:yvoinov at gmail.com>>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> It tells you what's
>>>>>>>>> happens.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 11.09.2017 23:50,
>>>>>>>>> Rohit Sodhia пишет:
>>>>>>>>> > (ssl_crtd):
>>>>>>>>> Uninitialized SSL
>>>>>>>>> certificate database
>>>>>>>>> directory:
>>>>>>>>> > /var/lib/ssl_db. To
>>>>>>>>> initialize, run
>>>>>>>>> "ssl_crtd -c -s
>>>>>>>>> /var/lib/ssl_db".
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> squid-users mailing list
>>>>>>>>> squid-users at lists.squid-cache.org
>>>>>>>>> <mailto:squid-users at lists.squid-cache.org>
>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>> <http://lists.squid-cache.org/listinfo/squid-users>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/163b6f75/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/163b6f75/attachment-0001.sig>
More information about the squid-users
mailing list