[squid-users] certificate issuer not known

Majed Zouhairy m_zouhairy at ckta.by
Wed Jun 23 11:56:40 UTC 2021 

Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

on squid 4.15

it displays:


ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: 
https://wiki.squid-cache.org/*

     Failed to establish a secure connection to 104.130.201.120

The system returned:

     (71) Protocol error (TLS code: 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

     SSL Certficate error: certificate issuer (CA) not known: 
/C=US/O=Let's Encrypt/CN=R3

This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.

Your cache administrator is webmaster.

configuration:

http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB



acl 	tls_s1_connect		at_step SslBump1
acl 	tls_s2_client_hello 	at_step SslBump2
acl 	tls_s3_server_hello 	at_step SslBump3

# define acls for sites that must not be actively bumped

acl 	tls_allowed_hsts	ssl::server_name 			.akamaihd.net
acl 	tls_allowed_hsts	ssl::server_name 			.proxy.skko.by
#acl 	tls_server_is_bank 	ssl::server_name 	.abnamro.nl
#acl 	tls_server_is_bank 	ssl::server_name 	.abnamro.comacl
tls_server_is_bank 		ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
acl 	tls_to_splice 	any-of 	tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump 	peek	tls_s1_connect 	# peek at TLS/SSL connect data
ssl_bump 	splice 	tls_to_splice	# splice some: no active bump
ssl_bump 	stare 	all		# stare(peek) at server
														# properties of the webserver
ssl_bump	 bump	# bump if we can (if the stare succeeded)



#ssl_bump peek all
#ssl_bump splice all

##ssl_bump server-first all

#sslproxy_cert_error allow all



cache_dir ufs /var/cache/squid 8000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 960 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:			1440	20%	10080
refresh_pattern ^gopher:		1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 	0	0%	0
refresh_pattern .			0	20%	4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9

what needs to be done to fix?

More information about the squid-users mailing list