<div dir="ltr">I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?<br><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 11, 2017 at 4:02 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Wait. Squid 3.5.20? So ancient?<br>
</p>
<br>
<div class="m_-6916847273826587004moz-cite-prefix">12.09.2017 1:58, Rohit Sodhia пишет:<br>
</div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/var/lib/ssl_db -M 4MB<br>
</div>
<br>
</div>
I used the line from the Stack Overflow question I linked
earlier.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 3:41 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Well. Let's check more deep.</p>
<p>Show me parameter sslcrtd_program in your squid.conf<br>
</p>
<br>
<div class="m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
1:23, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-6916847273826587004h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Unfortunately, no luck yet. Thank you again
for your help before.<br>
<br>
</div>
I found that the user squid and group squid
existed already, so I added<br>
<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
to my config (first two lines), made sure
/var/lib/ssl_db and it's contents were set to
squid:squid and restarted the service, but I'm
still getting the same error :(<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at
2:42 PM, Rohit Sodhia <span dir="ltr"><<a href="mailto:sodhia.rohit@gmail.com" target="_blank">sodhia.rohit@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'll try that immediately,
thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p<br>
</div>
<div class="m_-6916847273826587004m_478221293728653700HOEnZb">
<div class="m_-6916847273826587004m_478221293728653700h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11,
2017 at 2:39 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I'm not Linux fanboy, but
modern squid never runs as root.
So, most probably it runs as
nobody user.</p>
<p>Ah, yes:</p>
<p># TAG: cache_effective_user<br>
# If you start Squid as root,
it will change its
effective/real<br>
# UID/GID to the user
specified below. The default is
to change<br>
# to UID of nobody.<br>
# see also;
cache_effective_group<br>
#Default:<br>
# cache_effective_user nobody<br>
<br>
# TAG: cache_effective_group<br>
# Squid sets the GID to the
effective user's default group
ID<br>
# (taken from the password
file) and supplementary group
list<br>
# from the groups membership.<br>
#<br>
# If you want Squid to run
with a specific GID regardless
of<br>
# the group memberships of
the effective user then set this<br>
# to the group (or GID) you
want Squid to run as. When set<br>
# all other group privileges
of the effective user are
ignored<br>
# and only this GID is
effective. If Squid is not
started as<br>
# root the user starting
Squid MUST be member of the
specified<br>
# group.<br>
#<br>
# This option is not
recommended by the Squid Team.<br>
# Our preference is for
administrators to configure a
secure<br>
# user account for squid with
UID/GID matching system
policies.<br>
#Default:<br>
# Use system group memberships
of the cache_effective_user
account<br>
</p>
<p>As documented. :)</p>
<p>AFAIK best solution is create
non-privileged group & user
(like squid/squid) and set both
this parameters explicity.</p>
<p>Then change owner recursively
on SSL cache to this user.<br>
</p>
<br>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
0:36, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
<blockquote type="cite">
<div dir="ltr">Neither of
those values are set in my
config. Even though I'm
not using squid for
caching, I need those
values? They aren't set in
the default configs
either.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11, 2017 at
2:33 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Most probably you
squid runs as
another user than
squid.</p>
<p>Check your
squid.conf for
cache_effective_user
and
cache_effective_group
values.</p>
<p>Then change SSL
cache permissions
to this values.
Should work.<br>
</p>
<br>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
0:30, Rohit Sodhia
пишет:<br>
</div>
<div>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
<blockquote type="cite">
<div dir="ltr">
<div>Thanks
for the
feedback! I
just used yum
(it's a CentOS
7 VB) and it
set it up like
that. I
changed the
owner and
group to
squid:squid
and tried
restarting
squid, but
still get the
same errors. I
thought to run
the command
again, but
this time it
says<br>
<br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
<br>
</div>
If this folder
has incorrect
permissions
are there
possibly other
permission
issues?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:25
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Here you
root of
problem.</p>
<p>Should be
(on my
setups):</p>
<p># ls -al
/var/lib/ssl_db<br>
total 326<br>
drwxr-xr-x 3
squid
squid 5
Sep 5 00:53 .<br>
drwxr-xr-x 8
root
other 8
Sep 5 00:53
..<br>
drwxr-xr-x 2
squid squid
454 Sep 11
23:37 certs<br>
-rw-r--r-- 1
squid squid
280575 Sep 11
23:37
index.txt<br>
-rw-r--r-- 1
squid
squid 7
Sep 11 23:37
size<br>
</p>
<p>I.e. Squid
has no access
to SSL cache
dir
structures. <br>
</p>
<br>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
0:23, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
<blockquote type="cite">
<div dir="ltr">total
8<br>
drwxr-xr-x. 3
root root 48
Sep 11 12:42 .<br>
drwxr-xr-x. 32
root root 4096
Sep 11 12:42
..<br>
drwxr-xr-x. 2
root root 6
Sep 11 12:42
certs<br>
-rw-r--r--. 1
root root 0
Sep 11 12:42
index.txt<br>
-rw-r--r--. 1
root root 1
Sep 11 12:42
size<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:22
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Show output
of <br>
</p>
<p>ls -al
/var/lib/ssl_db</p>
<br>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
0:21, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
<blockquote type="cite">
<div dir="ltr">Yes,
but telling me
it's crashing
unfortunately
doesn't help
me figure out
why or how to
fix it. I've
run the
command it
suggests but
it doesn't
help. I'm
unfortunately
not an ops guy
familiar with
this kind of
stuff; I don't
see anything
on how to
figure out
what to do
about it.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:17
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
tells you
what's
happens.<br>
<br>
<br>
11.09.2017
23:50, Rohit
Sodhia пишет:<br>
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
<div class="m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
(ssl_crtd):
Uninitialized
SSL
certificate
database
directory:<br>
>
/var/lib/ssl_db.
To initialize,
run "ssl_crtd
-c -s
/var/lib/ssl_db".<br>
<br>
<br>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
squid-users
mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div></div>