[squid-users] squid doesn't fetch the intermediate certificate for some sites

Dieter Bloms squid.org at bloms.de
Tue Jul 21 07:41:12 UTC 2020


we use the sslbump feature and it works very well.
But some sites can't be reached because of missing intermediate

In squid.conf we have configured the following parameters:

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
cache deny all

and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/

but for some sites like https://mycase.cloudapps.cisco.com/
squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA

output of openssl on certificate of mycase.cloudapps.cisco.com
            Authority Information Access: 
                CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
                OCSP - URI:http://ocsp.quovadisglobal.com

so does anybody see what's the reason, why squid doesn't download the
intermediate certificate for mycase.cloudapps.cisco.com ?


  Dieter Bloms

I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

More information about the squid-users mailing list