<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">@ eliezer <div class="">i was using children as 10</div><div class="">ans faced the problem </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">so i trued to increase children to 1000 to see if this was the reason </div><div class="">and unfortunately the same problem .</div><div class=""><br class=""></div><div class="">ys I’m using debian 6 os .</div><div class=""><br class=""></div><div class="">i appreciable the helping from all the replies below but so far i havent got any clear solution .</div><div class=""><br class=""></div><div class="">now i updated to 3.5.24 last one .</div><div class="">and will see it if comes back …i will update the list with result .</div><div class=""><br class=""></div><div class="">if it failed … I’m forced to create cron job to remove the certs like every 24 hours .</div><div class=""><br class=""></div><div class="">thank you guys all of you .</div><div class="">thanks amos , thanks eliezer , thanks yuri</div><div class=""><br class=""></div><div class="">kind regards</div><div class=""><div><blockquote type="cite" class=""><div class="">On Mar 3, 2017, at 1:37 PM, Yuri Voinov <<a href="mailto:yvoinov@gmail.com" class="">yvoinov@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">03.03.2017 6:32, Eliezer Croitoru пишет:</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Hey Yuri,<br class=""><br class="">This issue is not 100% squid but I think it's related to the way ssl_crtd works.<br class="">I am not sure if it has some locking or other things to prevent such issues.<br class="">The first solution is to somehow defend the DB from corruption, like in a case that more then a dozen identical requests are being done towards a single site and two ssl_crtd helpers are trying to do the same things.<br class="">I believe that something to fence this should already be inside squid and ssl_crtd but I am pretty sure this is the main issue.<br class=""></blockquote><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">I suggests this can be external reason to occurs this issue. Somehow,</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">for example, BlueCoat on ISP upstream, tcp packets corruption, etc. I</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">dont know, just guessing.</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Alex and his team should know the answer for this subject and if I'm not wrong theoretically there are couple ways to prevent the mentioned issues.<br class="">I had a plan to try and understand the ssl_crtd code and interface but yet to do so.<br class=""><br class="">I hope this issue will be resolved in a way that it can be backported to 3.5 in the worst case.<br class=""></blockquote><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">I hope too, but if it external..... fewwwwwwwwwww.</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Anyway, watchdog is good backup to preventing manual interventions by SA.</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">Eliezer<br class=""><br class="">----<br class=""><a href="http://ngtech.co.il/lmgtfy/" class="">http://ngtech.co.il/lmgtfy/</a><br class="">Linux System Administrator<br class="">Mobile: +972-5-28704261<br class="">Email: eliezer@ngtech.co.il<br class=""><br class=""><br class="">From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org] On Behalf Of Yuri Voinov<br class="">Sent: Thursday, March 2, 2017 11:46 PM<br class="">To: squid-users@lists.squid-cache.org<br class="">Subject: Re: [squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are crashing too rapidly, need help!<br class=""><br class="">This problem, in principle, is common to all versions of ssl-bumped Squid from version 3.4 and 5.0, inclusive, and occurs when the stored certificate is damaged for any reason. The only thing vorkeraund that I could find - a monitor kesh.log and initialize the certificate database again with squid restart automatically.<br class="">In some installations, this problem does not occur over the years. In other - almost daily. I have no desire to find out why this is happening exactly. For me it was easier to make the watchdog, which will follow up on this.<br class="">03.03.2017 3:40, Yuri Voinov пишет:<br class="">One hint finally:<br class="">'([^ ]*) helper database ([^ ]*) failed: The SSL certificate database ([^ ]*) is corrupted. Please rebuild' - - - 0 exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"<br class="">'FATAL: ([^ ]*) helpers are crashing too rapidly, need help!' - - - 0 exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"<br class="">'Cannot add certificate to db.' - - - 0 exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"<br class="">PS. This is from logsurfer.conf.<br class=""><br class="">03.03.2017 3:34, Yuri Voinov пишет:<br class="">This error is usually preceded by another error in cache.log associated with the certificates.<br class="">I will show you the direction. Then go himself.<br class="">This software will useful for you to solve:<br class="">http://www.crypt.gen.nz/logsurfer/<br class="">HTH, Yuri<br class=""><br class="">03.03.2017 2:47, --Ahmad-- пишет:<br class="">hey folks .<span class="Apple-converted-space"> </span><br class="">i have a problem with squid it get crashed after i enabled https !<br class="">cache log error => FATAL: The ssl_crtd helpers are crashing too rapidly, need help!<br class=""><br class="">i googled many topics and relevant pages and couldnt find a clear solution .<br class=""><br class="">the quick solution i made was i removed the certs in file :<br class="">rm -rfv /var/lib/ssl_db/<br class=""><br class=""><br class="">then reinitiated the DB using cmd below :<br class="">/lib/squid/ssl_crtd -c -s /var/lib/ssl_db<br class="">chown -R squid.squid /var/lib/ssl_db<br class="">chown -R squid.squid /var/lib/ssl_db<br class=""><br class=""><br class="">the restarted squid .<br class=""><br class=""><br class="">but this is not a solution becuase squid get crashed again after certain time and i don’t know why !<br class="">my version is 3.5.2<br class=""><br class=""><br class="">here is squid.conf :<br class="">/etc/squid/squid.conf<br class="">visible_hostname pcloud<br class="">acl ip1 myip 10.1.0.1<br class="">acl ip2 myip 192.168.10.210<br class="">tcp_outgoing_address 192.168.10.210 ip1<br class="">tcp_outgoing_address 192.168.10.210 ip2<br class="">#<br class=""># Recommended minimum configuration:<br class="">#<br class=""><br class=""># Example rule allowing access from your local networks.<br class=""># Adapt to list your (internal) IP networks from where browsing<br class=""># should be allowed<br class="">acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br class="">acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br class="">acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br class="">acl localnet src fc00::/7 # RFC 4193 local private network range<br class="">acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br class=""><br class="">acl SSL_ports port 443<br class="">acl Safe_ports port 80 # http<br class="">acl Safe_ports port 21 # ftp<br class="">acl Safe_ports port 443 # https<br class="">acl Safe_ports port 70 # gopher<br class="">acl Safe_ports port 210 # wais<br class="">acl Safe_ports port 1025-65535 # unregistered ports<br class="">acl Safe_ports port 280 # http-mgmt<br class="">acl Safe_ports port 488 # gss-http<br class="">acl Safe_ports port 591 # filemaker<br class="">acl Safe_ports port 777 # multiling http<br class="">acl CONNECT method CONNECT<br class=""><br class="">#<br class=""># Recommended minimum Access Permission configuration:<br class="">#<br class=""># Deny requests to certain unsafe ports<br class="">http_access deny !Safe_ports<br class=""><br class=""># Deny CONNECT to other than secure SSL ports<br class="">http_access deny CONNECT !SSL_ports<br class="">http_access allow CONNECT<span class="Apple-converted-space"> </span><br class=""># Only allow cachemgr access from localhost<br class="">http_access allow localhost manager<br class="">http_access deny manager<br class=""><br class=""># We strongly recommend the following be uncommented to protect innocent<br class=""># web applications running on the proxy server who think the only<br class=""># one who can access services on "localhost" is a local user<br class="">#http_access deny to_localhost<br class=""><br class="">#<br class=""># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br class="">#<br class=""><br class=""># Example rule allowing access from your local networks.<br class=""># Adapt localnet in the ACL section to list your (internal) IP networks<br class=""># from where browsing should be allowed<br class="">http_access allow localnet<br class="">http_access allow localhost<br class=""><br class=""># And finally deny all other access to this proxy<br class="">http_access deny all<br class=""><br class=""># Squid normally listens to port 3128<br class="">http_port 3128<br class=""><br class=""># Uncomment and adjust the following to add a disk cache directory.<br class="">#cache_dir ufs /var/cache/squid 100 16 256<br class=""><br class=""># Leave coredumps in the first cache dir<br class="">#coredump_dir /var/cache/squid<br class=""><br class="">#<br class=""># Add any of your own refresh_pattern entries above these.<br class="">#<br class="">#<br class=""><br class="">http_port 3126<br class="">#http_port 3128<br class="">#######################################<br class="">#cache_swap_low 90<br class="">#cache_swap_high 95<br class="">############################<br class="">cache_effective_user squid<br class="">cache_effective_group squid<br class="">memory_replacement_policy lru<br class="">cache_replacement_policy heap LFUDA<br class="">########################<br class="">maximum_object_size 10000 MB<br class="">#cache_mem 5000 MB<br class="">maximum_object_size_in_memory 10 MB<br class="">#########################<br class="">logfile_rotate 2<br class="">max_filedescriptors 131072<br class="">###############################<br class="">############<br class="">cache_dir aufs /var/cache/squid 600000 64 128<br class="">#######################################<br class="">https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myca.pem key=/usr/local/squid/ssl_cert/myca.pem<br class="">ssl_bump server-first all<br class="">sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB<br class="">sslcrtd_children 1000 startup=1 idle=1<br class="">###<br class="">minimum_object_size 0 bytes<br class="">#refresh patterns for caching static files<br class="">refresh_pattern ^ftp: 1440 20% 10080<br class="">refresh_pattern ^gopher: 1440 0% 1440<br class="">refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private<br class="">refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private<br class="">refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private<br class="">refresh_pattern -i .index.(html|htm)$ 0 40% 10080<br class="">refresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320<br class="">refresh_pattern . 0 40% 40320<br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class="">any Joy Guys ?<br class=""><br class=""><br class="">should i update squid ? or downgrade squid ?<br class=""><br class=""><br class="">kind regards<span class="Apple-converted-space"> </span><br class=""><br class=""><br class=""><br class=""><br class="">_______________________________________________<br class="">squid-users mailing list<br class="">mailto:squid-users@lists.squid-cache.org<br class="">http://lists.squid-cache.org/listinfo/squid-users<br class=""><br class=""></blockquote><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Bugs to the Future</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span id="cid:67D61F04-5DE9-45D2-9E94-1BC20DE457F5"><0x613DEC46.asc></span><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">squid-users mailing list</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:squid-users@lists.squid-cache.org" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">squid-users@lists.squid-cache.org</a><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="http://lists.squid-cache.org/listinfo/squid-users" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">http://lists.squid-cache.org/listinfo/squid-users</a></div></blockquote></div><br class=""></div></body></html>