[squid-users] squid https: using non-self-signed cert

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 19 16:49:10 UTC 2018

On 20/12/18 4:32 am, Meridoff wrote:
> 1) I just try to intercept https traffic. I use https_port ...
> cert=cert.pem capath=/dir . So squid can generate  sertificates based on
> file.cert as Root CA.


> So, my file.cert is combined from cert and key files. And it is not
> sefl-signed.

Please change your focus away from the "self-signed" term. As I wrote
earlier it is just a way of saying "Root CA".

The relevant thing is the "CA" part. What is special about CA is that
those certificates can be used to sign other certificates.
 Or in other words: CA cert are "signing SSL certificate".

> Checked by openssl: 
> openssl verify cert.pem
> cert.pem: CN = *.xxx.com <http://xxx.com>
> error 20 at 0 depth lookup:unable to get local issuer certificate
> And squid complains too: FATAL: No valid signing SSL certificate configured

These are very different messages.

OpenSSL is complaining that the PEM file contains a certificate which
cannot be validated by any CA it trusts.

Squid is complaining that the PEM file does not contain a CA cert + CA
key it can use for signing when generating leaf certificates.

> I think squid want to know who signed this cert - all cert chain to root
> cert. From where squid sholud know where to get all intermidiate CA
> certs for this cert.pem file ?

You have this slightly backwards. The PEM file is where Squid gets the
CA chain.

The PEM file should contain the CA cert + CA key Squid will be using to
generate leaf certs, plus any extra CA chain up to some CA the clients

> 2) In capath dir: is it neccesary to put here files in hash-format (as
> "man verify" for -CApath says): I mean for example 1234abcde.0 PEM-file
> in this dir.

Skip this. Like I said earlier that option is about other things not
relevant to your problem.

Your problem is that you are trying to use a leaf certificate for HTTPS
interception. You need a CA certificate.

The PEM file can contain:
 * an intermediary CA cert, or
 * a root CA cert (aka self-signed cert), or
 * a chain of intermediary CA certs, or
 * a chain of intermediary CA certs and their root CA cert.

Notice the constant detail in all those: "CA cert".


More information about the squid-users mailing list