[squid-users] [EXTERNAL] Re: 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line

Hannes Fasching hfasching at barracuda.com
Wed Jul 12 07:09:35 UTC 2023 

Hi!
we had the same problem when we switched from openssl 1.1 to openssl 3 with certificates using the SHA1 algorithm for signature. The reason for this was in openssl 3 SHA1 is deprecated.

Kind regards,
​Hannes


Von: squid-users <squid-users-bounces at lists.squid-cache.org>
Gesendet: Dienstag, 11. Juli 2023 19:34
An: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Betreff: [EXTERNAL] Re: [squid-users] 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line

On 7/10/23 14:50, Franta Hanzlík wrote:
> After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the
> Squid refuses to start with the error message:
>
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line

I suspect the actual problem is different than "no start line". Due to a
mismatch between OpenSSL error handling approach and Squid code, Squid
often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading
code is especially prone to such mismatches! Refactoring OpenSSL error
handling is an known to-do item.

Several different things could go wrong while showing the above
symptoms, and there are several ways to troubleshoot this, but I would
start with the following simple test.

Run the following (or similar) command on the same machine as Squid,
using the same OS user as Squid ("nobody" in the example below), using
the openssl tool from the same OpenSSL version as Squid was built with:

     sudo -u nobody \
     openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject

You should see the certificate subject field. Any warnings or errors?

If the above works fine, and the certificate file ownership/permissions
look reasonable to you, then the next step could be to start Squid under
"strace" or a similar tool to check whether some system call fails when
OpenSSL is trying to load that certificate file. In most cases, you
should be able to find the certificate filename in strace output and
check for subsequent syscall errors (e.g., permission denied). We can
help with that analysis, but be careful with posting private key
contents. If you can, temporary replace that production certificate with
some throw-away/temporary/example one.

Beyond that, I would recommend patching Squid to report the last OpenSSL
error instead of the first one (in this context). This will require you
to rebuild your Squid from sources. Please let me know if you want to
pursue that and I will provide a patch.


HTH,

Alex.

> The problem is probably related to the reverse https proxy definition
> line in squid.conf :
> https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe

> server.pem is the symlink to realFile.pem with this content:
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQ...
> ...
> ...vo=
> -----END RSA PRIVATE KEY-----
>
> -----BEGIN CERTIFICATE-----
> MIIGO...
> ...
> ...c5s=
> -----END CERTIFICATE-----
>
> and it worked fine in the older Squid-4.0.23 version.
>
> I tried:
> - tls-cert= instead of cert=
> - replacing the symlink server.pem with a real file.
> - arrange certificate in PEM file as first and key second
> - split PEM file into separate certificate and key and use it with syntax:
>
> https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe
>
> but squid still not start with this same message:
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line
>
> Can anyone help?
> ---
> Thanks in advance! Franta Hanzlik
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Get the 13 Email Threat Types eBook

https://www.barracuda.com/

This e-mail and any attachments to it contain confidential and proprietary material of Barracuda, its affiliates or agents, and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.

________________________________

More information about the squid-users mailing list