[squid-users] | Ignoring non-issuer CA from ... while squid -kparse
eliezer at ngtech.co.il
eliezer at ngtech.co.il
Sun Feb 24 12:58:26 UTC 2019
I assume it's fine in general since it works.
I will try to run a request with openssl to see what is the certificate chain that I'm receiving.
The issue is that it's a special "redirect all" proxy for filtering only blacklisted domains.
So the squid receives all SSL requests and denies them with a 302 to another server so it's hard
for me to see in the browser if the chain received is full.
Thanks,
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Sunday, February 24, 2019 10:14
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] | Ignoring non-issuer CA from ... while squid -kparse
On 24/02/19 3:36 pm, eliezer wrote:
> I am testing intermediate certificates and I have just created a key
> and certificate files.
>
> The http line for ssl bump is:
>
> http_port 23128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/cert.pem
> key=/etc/squid/ssl_cert/key.pem
>
>
>
> While running squid -kparse I get the next output:
>
> 2019/02/24 04:28:03| Using certificate in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Using certificate chain in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Ignoring non-issuer CA from
> /etc/squid/ssl_cert/cert.pem: /C=IL/ST=Shomron/O=NgTech
> LTD/CN=pxaa13a65c.ngtech.co.il
>
> ## END OF OUTPUT SNIPPET
>
>
> I am not sure how to look at this.
>
> I am almost sure I did something wrong, maybe when I created the root CA
> or the intermidate?
>
Since you are not using a self-signed cert Squid is checking the
cert.pem file to see if any chain CAs exist in there.
Squid found one CA cert in the file and determined that it was not an
Issuer to place in the chain *after* the known signing CA.
Since this is the same file the cert= value came from you should expect
the first thing that it finds is the signing CA cert. That already
exists in the known bit of chain and is not its own Issuer. So should be
skipped.
>From your description the root CA was next in the chain and already
configured into the Browser. So you should not see any chain info
actually loaded for this setup. Though if you want to send even the root
CA you could add it to the file and Squid would send the full chain.
There is only a problem if:
* the file being loaded is not one you wanted to load,
or
* the displayed CN is something you did not expect to see in that file, or
* the CA with that CN supposed to be part of the CA chain which
signed/issued your cert= certificate.
- Issuer sequence broken, or
- Issuer sequence missing an entry, or
- CAs not in correct chain order in the file.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list