[squid-users] certificate issuer not known

Alex Rousskov rousskov at measurement-factory.com
Wed Jun 23 14:32:07 UTC 2021 

On 6/23/21 7:56 AM, Majed Zouhairy wrote:
> when visiting
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> 
> on squid 4.15
> 
> it displays:
> 
> 
> ERROR
> The requested URL could not be retrieved
> 
> The following error was encountered while trying to retrieve the URL:
> https://wiki.squid-cache.org/*
> 
>     Failed to establish a secure connection to 104.130.201.120
> 
> The system returned:
> 
>     (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> 
>     SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=Let's Encrypt/CN=R3


Your Squid was not able to validate the certificate used by the Squid
Project wiki site. I am not sure, but perhaps your OpenSSL installation
on the Squid box is missing fresh Let's Encrypt intermediate
certificates? IIRC, there were similar complaints recently. Try
searching the mailing list archives if you have not already.

Alex.
P.S. Squid tries to fetch missing intermediate certificates, but that is
not always possible, and Squid v4 supports fewer environments where it
is possible to fetch them (than more recent Squid versions).


> configuration:
> 
> http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> 
> 
> 
> acl     tls_s1_connect        at_step SslBump1
> acl     tls_s2_client_hello     at_step SslBump2
> acl     tls_s3_server_hello     at_step SslBump3
> 
> # define acls for sites that must not be actively bumped
> 
> acl     tls_allowed_hsts    ssl::server_name             .akamaihd.net
> acl     tls_allowed_hsts    ssl::server_name             .proxy.skko.by
> #acl     tls_server_is_bank     ssl::server_name     .abnamro.nl
> #acl     tls_server_is_bank     ssl::server_name     .abnamro.comacl
> tls_server_is_bank         ssl::server_name
> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
> acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank
> 
> # TLS/SSL bumping steps
> 
> ssl_bump     peek    tls_s1_connect     # peek at TLS/SSL connect data
> ssl_bump     splice     tls_to_splice    # splice some: no active bump
> ssl_bump     stare     all        # stare(peek) at server
>                                                         # properties of
> the webserver
> ssl_bump     bump    # bump if we can (if the stare succeeded)
> 
> 
> 
> #ssl_bump peek all
> #ssl_bump splice all
> 
> ##ssl_bump server-first all
> 
> #sslproxy_cert_error allow all
> 
> 
> 
> cache_dir ufs /var/cache/squid 8000 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache/squid
> 
> cache_mem 960 MB
> 
> netdb_filename none
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:            1440    20%    10080
> refresh_pattern ^gopher:        1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?)     0    0%    0
> refresh_pattern .            0    20%    4320
> 
> url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
> sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
> /var/log/squid/
> url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
> #debug_options ALL,1 33,2 28,9
> 
> what needs to be done to fix?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list