<div dir="ltr">Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the problem?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 11, 2017 at 4:07 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Seems latest 4.0.21 is good enough. Most critical SSL-related
bugs almost closed or closed.</p>
<p>At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.</p>
<p>Repositories software sometimes has strange quirks, or sometimes
rancid.<br>
</p>
12.09.2017 2:05, Rohit Sodhia пишет:<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">I'll try to find it, but I read a few articles/SO
questions that suggested there were bugs in 4 relating to SSL
bumping? If they were wrong, I'd be glad to go forward. Should I
be removing the yum squid package and compile my own? Is 3.5
problematic besides being old?<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 4:02 PM,
Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Wait. Squid 3.5.20? So ancient?<br>
</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004moz-cite-prefix">12.09.2017
1:58, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>sslcrtd_program
/usr/lib64/squid/ssl_crtd -s
/var/lib/ssl_db -M 4MB<br>
</div>
<br>
</div>
I used the line from the Stack Overflow
question I linked earlier.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017
at 3:41 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Well. Let's check more deep.</p>
<p>Show me parameter sslcrtd_program in
your squid.conf<br>
</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
1:23, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905m_-6916847273826587004h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Unfortunately, no luck
yet. Thank you again for
your help before.<br>
<br>
</div>
I found that the user squid
and group squid existed
already, so I added<br>
<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
to my config (first two lines),
made sure /var/lib/ssl_db and
it's contents were set to
squid:squid and restarted the
service, but I'm still getting
the same error :(<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon,
Sep 11, 2017 at 2:42 PM, Rohit
Sodhia <span dir="ltr"><<a href="mailto:sodhia.rohit@gmail.com" target="_blank">sodhia.rohit@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'll try that
immediately, thanks! I
appreciate all your
advice; hopefully I won't
have to reach out again :p<br>
</div>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700HOEnZb">
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11, 2017 at
2:39 PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I'm not Linux
fanboy, but
modern squid
never runs as
root. So, most
probably it
runs as nobody
user.</p>
<p>Ah, yes:</p>
<p># TAG:
cache_effective_user<br>
# If you
start Squid as
root, it will
change its
effective/real<br>
# UID/GID
to the user
specified
below. The
default is to
change<br>
# to UID of
nobody.<br>
# see also;
cache_effective_group<br>
#Default:<br>
#
cache_effective_user
nobody<br>
<br>
# TAG:
cache_effective_group<br>
# Squid
sets the GID
to the
effective
user's default
group ID<br>
# (taken
from the
password file)
and
supplementary
group list<br>
# from the
groups
membership.<br>
#<br>
# If you
want Squid to
run with a
specific GID
regardless of<br>
# the group
memberships of
the effective
user then set
this<br>
# to the
group (or GID)
you want Squid
to run as.
When set<br>
# all other
group
privileges of
the effective
user are
ignored<br>
# and only
this GID is
effective. If
Squid is not
started as<br>
# root the
user starting
Squid MUST be
member of the
specified<br>
# group.<br>
#<br>
# This
option is not
recommended by
the Squid
Team.<br>
# Our
preference is
for
administrators
to configure a
secure<br>
# user
account for
squid with
UID/GID
matching
system
policies.<br>
#Default:<br>
# Use system
group
memberships of
the
cache_effective_user
account<br>
</p>
<p>As
documented. :)</p>
<p>AFAIK best
solution is
create
non-privileged
group &
user (like
squid/squid)
and set both
this
parameters
explicity.</p>
<p>Then change
owner
recursively on
SSL cache to
this user.<br>
</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
0:36, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
<blockquote type="cite">
<div dir="ltr">Neither
of those
values are set
in my config.
Even though
I'm not using
squid for
caching, I
need those
values? They
aren't set in
the default
configs
either.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:33
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Most
probably you
squid runs as
another user
than squid.</p>
<p>Check your
squid.conf for
cache_effective_user and cache_effective_group values.</p>
<p>Then change
SSL cache
permissions to
this values.
Should work.<br>
</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
0:30, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
<blockquote type="cite">
<div dir="ltr">
<div>Thanks
for the
feedback! I
just used yum
(it's a CentOS
7 VB) and it
set it up like
that. I
changed the
owner and
group to
squid:squid
and tried
restarting
squid, but
still get the
same errors. I
thought to run
the command
again, but
this time it
says<br>
<br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
<br>
</div>
If this folder
has incorrect
permissions
are there
possibly other
permission
issues?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:25
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Here you
root of
problem.</p>
<p>Should be
(on my
setups):</p>
<p># ls -al
/var/lib/ssl_db<br>
total 326<br>
drwxr-xr-x 3
squid
squid 5
Sep 5 00:53 .<br>
drwxr-xr-x 8
root
other 8
Sep 5 00:53
..<br>
drwxr-xr-x 2
squid squid
454 Sep 11
23:37 certs<br>
-rw-r--r-- 1
squid squid
280575 Sep 11
23:37
index.txt<br>
-rw-r--r-- 1
squid
squid 7
Sep 11 23:37
size<br>
</p>
<p>I.e. Squid
has no access
to SSL cache
dir
structures. <br>
</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
0:23, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
<blockquote type="cite">
<div dir="ltr">total
8<br>
drwxr-xr-x. 3
root root 48
Sep 11 12:42 .<br>
drwxr-xr-x. 32
root root 4096
Sep 11 12:42
..<br>
drwxr-xr-x. 2
root root 6
Sep 11 12:42
certs<br>
-rw-r--r--. 1
root root 0
Sep 11 12:42
index.txt<br>
-rw-r--r--. 1
root root 1
Sep 11 12:42
size<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:22
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Show output
of <br>
</p>
<p>ls -al
/var/lib/ssl_db</p>
<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
0:21, Rohit
Sodhia пишет:<br>
</div>
<div>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
<blockquote type="cite">
<div dir="ltr">Yes,
but telling me
it's crashing
unfortunately
doesn't help
me figure out
why or how to
fix it. I've
run the
command it
suggests but
it doesn't
help. I'm
unfortunately
not an ops guy
familiar with
this kind of
stuff; I don't
see anything
on how to
figure out
what to do
about it.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11,
2017 at 2:17
PM, Yuri <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
tells you
what's
happens.<br>
<br>
<br>
11.09.2017
23:50, Rohit
Sodhia пишет:<br>
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
<div class="m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
(ssl_crtd):
Uninitialized
SSL
certificate
database
directory:<br>
>
/var/lib/ssl_db.
To initialize,
run "ssl_crtd
-c -s
/var/lib/ssl_db".<br>
<br>
<br>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
squid-users
mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>