[squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 13 22:23:00 UTC 2021


On 1/13/21 4:33 PM, Greg Hulands wrote:

> I am setting up squid 5.0.3 and during testing I have found some 
> websites fail to have their certificates generated correctly. I am
> able to go to sites like YouTube.com and have the certificates for
> that be generated correctly, but when I try to go to some others,
> like arstechnica.com, they fail to generate and return the CA cert
> that squid is using to sign certificates with.

Just to double check: Are you sure that the certificate the client gets
is the configured CA certificate? For example, do the two certificates
have the same fingerprint?


> I turned the logging up on certificate stuff to 5 and have the cache log
> from trying to make a request
> here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb

The posted snippet shows successful TLS negotiation with the origin
server (FD 23) and a subsequently failed negotiation with the client (FD
21). The latter may have failed because the client did not like the
certificate generated by Squid, but I did not check the exact failure
reason carefully.

The snippet has no information about Squid sending the (generated)
certificates to the client, but Squid appears to receive some generated
certificate from the helper (crtGenRq3180846).

* If you are sure that the client gets a wrong certificate from Squid,
then I recommend posting an ALL,9 log of the problematic transaction.
With some luck, we may be able to see what went wrong with certificate
generation (or virgin certificate validation??).

* Otherwise, I recommend double checking what certificate the client
gets. If the client gets the correct generated certificate, then the
problem is not in certificate validation or generation.

Posting the certificate that the client actually gets may help a lot
with the triage as well.


HTH,

Alex.


More information about the squid-users mailing list