[squid-users] [EXTERNAL] Re: 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line

Franta Hanzlík franta at hanzlici.cz
Tue Jul 18 05:07:21 UTC 2023 

On Wed, 12 Jul 2023 07:09:35 +0000
Hannes Fasching <hfasching at barracuda.com> wrote:

> Hi!
> we had the same problem when we switched from openssl 1.1 to openssl 3 with certificates using the SHA1 algorithm for signature. The reason for this was in openssl 3 SHA1 is deprecated.
> 
> Kind regards,
> ​Hannes
> 
> 
> Von: squid-users <squid-users-bounces at lists.squid-cache.org>
> Gesendet: Dienstag, 11. Juli 2023 19:34
> An: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
> Betreff: [EXTERNAL] Re: [squid-users] 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line
> 
> On 7/10/23 14:50, Franta Hanzlík wrote:
> > After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the
> > Squid refuses to start with the error message:
> >
> > ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line  
> 
> I suspect the actual problem is different than "no start line". Due to a
> mismatch between OpenSSL error handling approach and Squid code, Squid
> often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading
> code is especially prone to such mismatches! Refactoring OpenSSL error
> handling is an known to-do item.
> 
> Several different things could go wrong while showing the above
> symptoms, and there are several ways to troubleshoot this, but I would
> start with the following simple test.
> 
> Run the following (or similar) command on the same machine as Squid,
> using the same OS user as Squid ("nobody" in the example below), using
> the openssl tool from the same OpenSSL version as Squid was built with:
> 
>      sudo -u nobody \
>      openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject
> 
> You should see the certificate subject field. Any warnings or errors?
> 
> If the above works fine, and the certificate file ownership/permissions
> look reasonable to you, then the next step could be to start Squid under
> "strace" or a similar tool to check whether some system call fails when
> OpenSSL is trying to load that certificate file. In most cases, you
> should be able to find the certificate filename in strace output and
> check for subsequent syscall errors (e.g., permission denied). We can
> help with that analysis, but be careful with posting private key
> contents. If you can, temporary replace that production certificate with
> some throw-away/temporary/example one.
> 
> Beyond that, I would recommend patching Squid to report the last OpenSSL
> error instead of the first one (in this context). This will require you
> to rebuild your Squid from sources. Please let me know if you want to
> pursue that and I will provide a patch.
> 
> 
> HTH,
> 
> Alex.
> 
> > The problem is probably related to the reverse https proxy definition
> > line in squid.conf :
> > https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe  
> 
> > server.pem is the symlink to realFile.pem with this content:
> > -----BEGIN RSA PRIVATE KEY-----
> > MIIEpQ...
> > ...
> > ...vo=
> > -----END RSA PRIVATE KEY-----
> >
> > -----BEGIN CERTIFICATE-----
> > MIIGO...
> > ...
> > ...c5s=
> > -----END CERTIFICATE-----
> >
> > and it worked fine in the older Squid-4.0.23 version.
> >
> > I tried:
> > - tls-cert= instead of cert=
> > - replacing the symlink server.pem with a real file.
> > - arrange certificate in PEM file as first and key second
> > - split PEM file into separate certificate and key and use it with syntax:
> >
> > https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe
> >
> > but squid still not start with this same message:
> > ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line
> >
> > Can anyone help?
> > ---
> > Thanks in advance! Franta Hanzlik
> > _______________________________________________
> _______________________________________________


Hi Karl, you hit the spot - my 2015 certificate used SHA1 algorithm.
And after generating a new one using sha256, the SQUID works correctly.
Big thanks!

Alex, thanks too for the nice systematic approach to solving the problem!
Thank you very much!
---
Franta Hanzlík

More information about the squid-users mailing list