<div dir="ltr">Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess I'll have to learn how to compile it myself; never compiled a package before.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 11, 2017 at 4:17 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Hardly,<br>
    <br>
    most probably something in repo's package. However, upgrade is
    always recommended, especially with modern functionality. It changes
    fast enough.<br>
    <br>
    <div class="m_-469225490075285610moz-cite-prefix">12.09.2017 2:15, Rohit Sodhia пишет:<br>
    </div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Ah. I'm on 3.5.20; not sure how far back that is.
        Is that the core of the problem?<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Sep 11, 2017 at 4:07 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <p>Seems latest 4.0.21 is good enough. Most critical
                SSL-related bugs almost closed or closed.</p>
              <p>At least latest 3.5.27 is released. AFAIK this is
                minimum to problem-free running.</p>
              <p>Repositories software sometimes has strange quirks, or
                sometimes rancid.<br>
              </p>
              12.09.2017 2:05, Rohit Sodhia пишет:
              <div>
                <div class="m_-469225490075285610h5"><br>
                  <blockquote type="cite">
                    <div dir="ltr">I'll try to find it, but I read a few
                      articles/SO questions that suggested there were
                      bugs in 4 relating to SSL bumping? If they were
                      wrong, I'd be glad to go forward. Should I be
                      removing the yum squid package and compile my own?
                      Is 3.5 problematic besides being old?<br>
                      <div>
                        <div class="gmail_extra"><br>
                          <div class="gmail_quote">On Mon, Sep 11, 2017
                            at 4:02 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                            wrote:<br>
                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                              <div text="#000000" bgcolor="#FFFFFF">
                                <p>Wait. Squid 3.5.20? So ancient?<br>
                                </p>
                                <br>
                                <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004moz-cite-prefix">12.09.2017
                                  1:58, Rohit Sodhia пишет:<br>
                                </div>
                                <div>
                                  <div class="m_-469225490075285610m_-2418983803487464905h5">
                                    <blockquote type="cite">
                                      <div dir="ltr">
                                        <div>
                                          <div>sslcrtd_program
                                            /usr/lib64/squid/ssl_crtd -s
                                            /var/lib/ssl_db -M 4MB<br>
                                          </div>
                                          <br>
                                        </div>
                                        I used the line from the Stack
                                        Overflow question I linked
                                        earlier.<br>
                                      </div>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On Mon,
                                          Sep 11, 2017 at 3:41 PM, Yuri
                                          <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                            <div text="#000000" bgcolor="#FFFFFF">
                                              <p>Well. Let's check more
                                                deep.</p>
                                              <p>Show me parameter
                                                sslcrtd_program in your
                                                squid.conf<br>
                                              </p>
                                              <br>
                                              <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
                                                1:23, Rohit Sodhia
                                                пишет:<br>
                                              </div>
                                              <div>
                                                <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004h5">
                                                  <blockquote type="cite">
                                                    <div dir="ltr">
                                                      <div>
                                                        <div>Unfortunately,
                                                          no luck yet.
                                                          Thank you
                                                          again for your
                                                          help before.<br>
                                                          <br>
                                                        </div>
                                                        I found that the
                                                        user squid and
                                                        group squid
                                                        existed already,
                                                        so I added<br>
                                                        <br>
cache_effective_user squid<br>
cache_effective_group squid<br>
                                                        <br>
                                                      </div>
                                                      to my config
                                                      (first two lines),
                                                      made sure
                                                      /var/lib/ssl_db
                                                      and it's contents
                                                      were set to
                                                      squid:squid and
                                                      restarted the
                                                      service, but I'm
                                                      still getting the
                                                      same error :(<br>
                                                    </div>
                                                    <div class="gmail_extra"><br>
                                                      <div class="gmail_quote">On
                                                        Mon, Sep 11,
                                                        2017 at 2:42 PM,
                                                        Rohit Sodhia <span dir="ltr"><<a href="mailto:sodhia.rohit@gmail.com" target="_blank">sodhia.rohit@gmail.com</a>></span>
                                                        wrote:<br>
                                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="ltr">I'll
                                                          try that
                                                          immediately,
                                                          thanks! I
                                                          appreciate all
                                                          your advice;
                                                          hopefully I
                                                          won't have to
                                                          reach out
                                                          again :p<br>
                                                          </div>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700HOEnZb">
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700h5">
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:39
                                                          PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div text="#000000" bgcolor="#FFFFFF">
                                                          <p>I'm not
                                                          Linux fanboy,
                                                          but modern
                                                          squid never
                                                          runs as root.
                                                          So, most
                                                          probably it
                                                          runs as nobody
                                                          user.</p>
                                                          <p>Ah, yes:</p>
                                                          <p>#  TAG:
                                                          cache_effective_user<br>
                                                          #    If you
                                                          start Squid as
                                                          root, it will
                                                          change its
                                                          effective/real<br>
                                                          #    UID/GID
                                                          to the user
                                                          specified
                                                          below.  The
                                                          default is to
                                                          change<br>
                                                          #    to UID of
                                                          nobody.<br>
                                                          #    see also;
cache_effective_group<br>
                                                          #Default:<br>
                                                          #
                                                          cache_effective_user
                                                          nobody<br>
                                                          <br>
                                                          #  TAG:
                                                          cache_effective_group<br>
                                                          #    Squid
                                                          sets the GID
                                                          to the
                                                          effective
                                                          user's default
                                                          group ID<br>
                                                          #    (taken
                                                          from the
                                                          password file)
                                                          and
                                                          supplementary
                                                          group list<br>
                                                          #    from the
                                                          groups
                                                          membership.<br>
                                                          #<br>
                                                          #    If you
                                                          want Squid to
                                                          run with a
                                                          specific GID
                                                          regardless of<br>
                                                          #    the group
                                                          memberships of
                                                          the effective
                                                          user then set
                                                          this<br>
                                                          #    to the
                                                          group (or GID)
                                                          you want Squid
                                                          to run as.
                                                          When set<br>
                                                          #    all other
                                                          group
                                                          privileges of
                                                          the effective
                                                          user are
                                                          ignored<br>
                                                          #    and only
                                                          this GID is
                                                          effective. If
                                                          Squid is not
                                                          started as<br>
                                                          #    root the
                                                          user starting
                                                          Squid MUST be
                                                          member of the
                                                          specified<br>
                                                          #    group.<br>
                                                          #<br>
                                                          #    This
                                                          option is not
                                                          recommended by
                                                          the Squid
                                                          Team.<br>
                                                          #    Our
                                                          preference is
                                                          for
                                                          administrators
                                                          to configure a
                                                          secure<br>
                                                          #    user
                                                          account for
                                                          squid with
                                                          UID/GID
                                                          matching
                                                          system
                                                          policies.<br>
                                                          #Default:<br>
                                                          # Use system
                                                          group
                                                          memberships of
                                                          the
                                                          cache_effective_user
                                                          account<br>
                                                          </p>
                                                          <p>As
                                                          documented. :)</p>
                                                          <p>AFAIK best
                                                          solution is
                                                          create
                                                          non-privileged
                                                          group &
                                                          user (like
                                                          squid/squid)
                                                          and set both
                                                          this
                                                          parameters
                                                          explicity.</p>
                                                          <p>Then change
                                                          owner
                                                          recursively on
                                                          SSL cache to
                                                          this user.<br>
                                                          </p>
                                                          <br>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
                                                          0:36, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
                                                          <blockquote type="cite">
                                                          <div dir="ltr">Neither
                                                          of those
                                                          values are set
                                                          in my config.
                                                          Even though
                                                          I'm not using
                                                          squid for
                                                          caching, I
                                                          need those
                                                          values? They
                                                          aren't set in
                                                          the default
                                                          configs
                                                          either.<br>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:33
                                                          PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div text="#000000" bgcolor="#FFFFFF">
                                                          <p>Most
                                                          probably you
                                                          squid runs as
                                                          another user
                                                          than squid.</p>
                                                          <p>Check your
                                                          squid.conf for
cache_effective_user and cache_effective_group values.</p>
                                                          <p>Then change
                                                          SSL cache
                                                          permissions to
                                                          this values.
                                                          Should work.<br>
                                                          </p>
                                                          <br>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
                                                          0:30, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
                                                          <blockquote type="cite">
                                                          <div dir="ltr">
                                                          <div>Thanks
                                                          for the
                                                          feedback! I
                                                          just used yum
                                                          (it's a CentOS
                                                          7 VB) and it
                                                          set it up like
                                                          that. I
                                                          changed the
                                                          owner and
                                                          group to
                                                          squid:squid
                                                          and tried
                                                          restarting
                                                          squid, but
                                                          still get the
                                                          same errors. I
                                                          thought to run
                                                          the command
                                                          again, but
                                                          this time it
                                                          says<br>
                                                          <br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
                                                          <br>
                                                          </div>
                                                          If this folder
                                                          has incorrect
                                                          permissions
                                                          are there
                                                          possibly other
                                                          permission
                                                          issues?<br>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:25
                                                          PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div text="#000000" bgcolor="#FFFFFF">
                                                          <p>Here you
                                                          root of
                                                          problem.</p>
                                                          <p>Should be
                                                          (on my
                                                          setups):</p>
                                                          <p># ls -al
                                                          /var/lib/ssl_db<br>
                                                          total 326<br>
                                                          drwxr-xr-x 3
                                                          squid
                                                          squid      5
                                                          Sep  5 00:53 .<br>
                                                          drwxr-xr-x 8
                                                          root 
                                                          other      8
                                                          Sep  5 00:53
                                                          ..<br>
                                                          drwxr-xr-x 2
                                                          squid squid   
                                                          454 Sep 11
                                                          23:37 certs<br>
                                                          -rw-r--r-- 1
                                                          squid squid
                                                          280575 Sep 11
                                                          23:37
                                                          index.txt<br>
                                                          -rw-r--r-- 1
                                                          squid
                                                          squid      7
                                                          Sep 11 23:37
                                                          size<br>
                                                          </p>
                                                          <p>I.e. Squid
                                                          has no access
                                                          to SSL cache
                                                          dir
                                                          structures. <br>
                                                          </p>
                                                          <br>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
                                                          0:23, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
                                                          <blockquote type="cite">
                                                          <div dir="ltr">total
                                                          8<br>
                                                          drwxr-xr-x.  3
                                                          root root   48
                                                          Sep 11 12:42 .<br>
                                                          drwxr-xr-x. 32
                                                          root root 4096
                                                          Sep 11 12:42
                                                          ..<br>
                                                          drwxr-xr-x.  2
                                                          root root    6
                                                          Sep 11 12:42
                                                          certs<br>
                                                          -rw-r--r--.  1
                                                          root root    0
                                                          Sep 11 12:42
                                                          index.txt<br>
                                                          -rw-r--r--.  1
                                                          root root    1
                                                          Sep 11 12:42
                                                          size<br>
                                                          <br>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:22
                                                          PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div text="#000000" bgcolor="#FFFFFF">
                                                          <p>Show output
                                                          of <br>
                                                          </p>
                                                          <p>ls -al
                                                          /var/lib/ssl_db</p>
                                                          <br>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
                                                          0:21, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
                                                          <blockquote type="cite">
                                                          <div dir="ltr">Yes,
                                                          but telling me
                                                          it's crashing
                                                          unfortunately
                                                          doesn't help
                                                          me figure out
                                                          why or how to
                                                          fix it. I've
                                                          run the
                                                          command it
                                                          suggests but
                                                          it doesn't
                                                          help. I'm
                                                          unfortunately
                                                          not an ops guy
                                                          familiar with
                                                          this kind of
                                                          stuff; I don't
                                                          see anything
                                                          on how to
                                                          figure out
                                                          what to do
                                                          about it.<br>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:17
                                                          PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
                                                          tells you
                                                          what's
                                                          happens.<br>
                                                          <br>
                                                          <br>
                                                          11.09.2017
                                                          23:50, Rohit
                                                          Sodhia пишет:<br>
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
                                                          <div class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
                                                          (ssl_crtd):
                                                          Uninitialized
                                                          SSL
                                                          certificate
                                                          database
                                                          directory:<br>
                                                          >
                                                          /var/lib/ssl_db.
                                                          To initialize,
                                                          run "ssl_crtd
                                                          -c -s
                                                          /var/lib/ssl_db".<br>
                                                          <br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <br>
______________________________<wbr>_________________<br>
                                                          squid-users
                                                          mailing list<br>
                                                          <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
                                                          <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </blockquote>
                                                      </div>
                                                      <br>
                                                    </div>
                                                  </blockquote>
                                                  <br>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </blockquote>
                                    <br>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>