[squid-users] 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line
Alex Rousskov
rousskov at measurement-factory.com
Tue Jul 11 17:34:47 UTC 2023
On 7/10/23 14:50, Franta Hanzlík wrote:
> After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the
> Squid refuses to start with the error message:
>
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line
I suspect the actual problem is different than "no start line". Due to a
mismatch between OpenSSL error handling approach and Squid code, Squid
often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading
code is especially prone to such mismatches! Refactoring OpenSSL error
handling is an known to-do item.
Several different things could go wrong while showing the above
symptoms, and there are several ways to troubleshoot this, but I would
start with the following simple test.
Run the following (or similar) command on the same machine as Squid,
using the same OS user as Squid ("nobody" in the example below), using
the openssl tool from the same OpenSSL version as Squid was built with:
sudo -u nobody \
openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject
You should see the certificate subject field. Any warnings or errors?
If the above works fine, and the certificate file ownership/permissions
look reasonable to you, then the next step could be to start Squid under
"strace" or a similar tool to check whether some system call fails when
OpenSSL is trying to load that certificate file. In most cases, you
should be able to find the certificate filename in strace output and
check for subsequent syscall errors (e.g., permission denied). We can
help with that analysis, but be careful with posting private key
contents. If you can, temporary replace that production certificate with
some throw-away/temporary/example one.
Beyond that, I would recommend patching Squid to report the last OpenSSL
error instead of the first one (in this context). This will require you
to rebuild your Squid from sources. Please let me know if you want to
pursue that and I will provide a patch.
HTH,
Alex.
> The problem is probably related to the reverse https proxy definition
> line in squid.conf :
> https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe
> server.pem is the symlink to realFile.pem with this content:
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQ...
> ...
> ...vo=
> -----END RSA PRIVATE KEY-----
>
> -----BEGIN CERTIFICATE-----
> MIIGO...
> ...
> ...c5s=
> -----END CERTIFICATE-----
>
> and it worked fine in the older Squid-4.0.23 version.
>
> I tried:
> - tls-cert= instead of cert=
> - replacing the symlink server.pem with a real file.
> - arrange certificate in PEM file as first and key second
> - split PEM file into separate certificate and key and use it with syntax:
>
> https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe
>
> but squid still not start with this same message:
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line
>
> Can anyone help?
> ---
> Thanks in advance! Franta Hanzlik
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list