[squid-users] SSL reverse proxy cert error

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 5 04:31:55 UTC 2018

On 5/09/18 4:05 PM, Hariharan Sethuraman wrote:
> Hi All,
> I have my https_port 443 in reverse proxy. When client sends a GET
> request, the rewrite correctly rewrites the URL and that rewritten GET
> request fails with below error.
> 2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:14007086:SSL
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> I dont where to add the trusted certificates, because I dont know where
> to specify the trusted certificates in /etc/ssl/certs directory.
> I have two ways to support: 
> 1) I may have cache_peer parent proxy (next proxy to internet)

For reverse-proxy the peer should be (or be towards) the origin. Not
towards the public Internet.

Use the cache_peer tls-ca= option to tell Squid which specific CA that
peer/origin is supposed to be using.

> 2) I dont need to give any parent proxy (because this host is connected
> to internet without next proxy)

For connections directly to the Internet (which reverse-proxy cannot
make without being forced) the global "Trusted CA" are used by default,
there is nothing to be done in that regard.

You can choose to disable them with:

  tls_outgoing_options default-ca=off

If you need to make Squid trust a specific CA which is not one of the
global trusted set (eg private for your use, or self-signed) then use:

  tls_outgoing_options cafile=/path/to/ca.pem

You can also combine the above settings so only a few global CA which
you actually trust get loaded. The cafile= option can be repeated in
Squid-4 to load multiple CA details.


More information about the squid-users mailing list