[squid-users] | Ignoring non-issuer CA from ... while squid -kparse
Amos Jeffries
squid3 at treenet.co.nz
Sun Feb 24 08:13:59 UTC 2019
On 24/02/19 3:36 pm, eliezer wrote:
> I am testing intermediate certificates and I have just created a key
> and certificate files.
>
> The http line for ssl bump is:
>
> http_port 23128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/cert.pem
> key=/etc/squid/ssl_cert/key.pem
>
>
>
> While running squid -kparse I get the next output:
>
> 2019/02/24 04:28:03| Using certificate in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Using certificate chain in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Ignoring non-issuer CA from
> /etc/squid/ssl_cert/cert.pem: /C=IL/ST=Shomron/O=NgTech
> LTD/CN=pxaa13a65c.ngtech.co.il
>
> ## END OF OUTPUT SNIPPET
>
>
> I am not sure how to look at this.
>
> I am almost sure I did something wrong, maybe when I created the root CA
> or the intermidate?
>
Since you are not using a self-signed cert Squid is checking the
cert.pem file to see if any chain CAs exist in there.
Squid found one CA cert in the file and determined that it was not an
Issuer to place in the chain *after* the known signing CA.
Since this is the same file the cert= value came from you should expect
the first thing that it finds is the signing CA cert. That already
exists in the known bit of chain and is not its own Issuer. So should be
skipped.
>From your description the root CA was next in the chain and already
configured into the Browser. So you should not see any chain info
actually loaded for this setup. Though if you want to send even the root
CA you could add it to the file and Squid would send the full chain.
There is only a problem if:
* the file being loaded is not one you wanted to load,
or
* the displayed CN is something you did not expect to see in that file, or
* the CA with that CN supposed to be part of the CA chain which
signed/issued your cert= certificate.
- Issuer sequence broken, or
- Issuer sequence missing an entry, or
- CAs not in correct chain order in the file.
Amos
More information about the squid-users
mailing list