<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Everything happens once for the first time;)<br>
    </p>
    <br>
    <div class="moz-cite-prefix">12.09.2017 2:18, Rohit Sodhia пишет:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAN1w9tfQt3Mivwpyo+u3Qp0agQ8pOgz2MGo2Wvb5AdGU3zbkjw@mail.gmail.com">
      <div dir="ltr">Ok. Looks like 3.5.20 is the latest on the yum repo
        I'm using, so guess I'll have to learn how to compile it myself;
        never compiled a package before.<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Sep 11, 2017 at 4:17 PM, Yuri <span
            dir="ltr"><<a href="mailto:yvoinov@gmail.com"
              target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hardly,<br>
              <br>
              most probably something in repo's package. However,
              upgrade is always recommended, especially with modern
              functionality. It changes fast enough.<br>
              <br>
              <div class="m_-469225490075285610moz-cite-prefix">12.09.2017
                2:15, Rohit Sodhia пишет:<br>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">Ah. I'm on 3.5.20; not sure how far
                      back that is. Is that the core of the problem?<br>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Mon, Sep 11, 2017 at
                        4:07 PM, Yuri <span dir="ltr"><<a
                            href="mailto:yvoinov@gmail.com"
                            target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF">
                            <p>Seems latest 4.0.21 is good enough. Most
                              critical SSL-related bugs almost closed or
                              closed.</p>
                            <p>At least latest 3.5.27 is released. AFAIK
                              this is minimum to problem-free running.</p>
                            <p>Repositories software sometimes has
                              strange quirks, or sometimes rancid.<br>
                            </p>
                            12.09.2017 2:05, Rohit Sodhia пишет:
                            <div>
                              <div class="m_-469225490075285610h5"><br>
                                <blockquote type="cite">
                                  <div dir="ltr">I'll try to find it,
                                    but I read a few articles/SO
                                    questions that suggested there were
                                    bugs in 4 relating to SSL bumping?
                                    If they were wrong, I'd be glad to
                                    go forward. Should I be removing the
                                    yum squid package and compile my
                                    own? Is 3.5 problematic besides
                                    being old?<br>
                                    <div>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On Mon,
                                          Sep 11, 2017 at 4:02 PM, Yuri
                                          <span dir="ltr"><<a
                                              href="mailto:yvoinov@gmail.com"
                                              target="_blank"
                                              moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                          wrote:<br>
                                          <blockquote
                                            class="gmail_quote"
                                            style="margin:0 0 0
                                            .8ex;border-left:1px #ccc
                                            solid;padding-left:1ex">
                                            <div text="#000000"
                                              bgcolor="#FFFFFF">
                                              <p>Wait. Squid 3.5.20? So
                                                ancient?<br>
                                              </p>
                                              <br>
                                              <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004moz-cite-prefix">12.09.2017
                                                1:58, Rohit Sodhia
                                                пишет:<br>
                                              </div>
                                              <div>
                                                <div
                                                  class="m_-469225490075285610m_-2418983803487464905h5">
                                                  <blockquote
                                                    type="cite">
                                                    <div dir="ltr">
                                                      <div>
                                                        <div>sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB<br>
                                                        </div>
                                                        <br>
                                                      </div>
                                                      I used the line
                                                      from the Stack
                                                      Overflow question
                                                      I linked earlier.<br>
                                                    </div>
                                                    <div
                                                      class="gmail_extra"><br>
                                                      <div
                                                        class="gmail_quote">On
                                                        Mon, Sep 11,
                                                        2017 at 3:41 PM,
                                                        Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                        wrote:<br>
                                                        <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div
                                                          text="#000000"
bgcolor="#FFFFFF">
                                                          <p>Well. Let's
                                                          check more
                                                          deep.</p>
                                                          <p>Show me
                                                          parameter
                                                          sslcrtd_program
                                                          in your
                                                          squid.conf<br>
                                                          </p>
                                                          <br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
                                                          1:23, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004h5">
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>Unfortunately,
                                                          no luck yet.
                                                          Thank you
                                                          again for your
                                                          help before.<br>
                                                          <br>
                                                          </div>
                                                          I found that
                                                          the user squid
                                                          and group
                                                          squid existed
                                                          already, so I
                                                          added<br>
                                                          <br>
cache_effective_user squid<br>
cache_effective_group squid<br>
                                                          <br>
                                                          </div>
                                                          to my config
                                                          (first two
                                                          lines), made
                                                          sure
                                                          /var/lib/ssl_db
                                                          and it's
                                                          contents were
                                                          set to
                                                          squid:squid
                                                          and restarted
                                                          the service,
                                                          but I'm still
                                                          getting the
                                                          same error :(<br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:42
                                                          PM, Rohit
                                                          Sodhia <span
                                                          dir="ltr"><<a
href="mailto:sodhia.rohit@gmail.com" target="_blank"
                                                          moz-do-not-send="true">sodhia.rohit@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="ltr">I'll
                                                          try that
                                                          immediately,
                                                          thanks! I
                                                          appreciate all
                                                          your advice;
                                                          hopefully I
                                                          won't have to
                                                          reach out
                                                          again :p<br>
                                                          </div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700HOEnZb">
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700h5">
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:39
                                                          PM, Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div
                                                          text="#000000"
bgcolor="#FFFFFF">
                                                          <p>I'm not
                                                          Linux fanboy,
                                                          but modern
                                                          squid never
                                                          runs as root.
                                                          So, most
                                                          probably it
                                                          runs as nobody
                                                          user.</p>
                                                          <p>Ah, yes:</p>
                                                          <p>#  TAG:
                                                          cache_effective_user<br>
                                                          #    If you
                                                          start Squid as
                                                          root, it will
                                                          change its
                                                          effective/real<br>
                                                          #    UID/GID
                                                          to the user
                                                          specified
                                                          below.  The
                                                          default is to
                                                          change<br>
                                                          #    to UID of
                                                          nobody.<br>
                                                          #    see also;
cache_effective_group<br>
                                                          #Default:<br>
                                                          #
                                                          cache_effective_user
                                                          nobody<br>
                                                          <br>
                                                          #  TAG:
                                                          cache_effective_group<br>
                                                          #    Squid
                                                          sets the GID
                                                          to the
                                                          effective
                                                          user's default
                                                          group ID<br>
                                                          #    (taken
                                                          from the
                                                          password file)
                                                          and
                                                          supplementary
                                                          group list<br>
                                                          #    from the
                                                          groups
                                                          membership.<br>
                                                          #<br>
                                                          #    If you
                                                          want Squid to
                                                          run with a
                                                          specific GID
                                                          regardless of<br>
                                                          #    the group
                                                          memberships of
                                                          the effective
                                                          user then set
                                                          this<br>
                                                          #    to the
                                                          group (or GID)
                                                          you want Squid
                                                          to run as.
                                                          When set<br>
                                                          #    all other
                                                          group
                                                          privileges of
                                                          the effective
                                                          user are
                                                          ignored<br>
                                                          #    and only
                                                          this GID is
                                                          effective. If
                                                          Squid is not
                                                          started as<br>
                                                          #    root the
                                                          user starting
                                                          Squid MUST be
                                                          member of the
                                                          specified<br>
                                                          #    group.<br>
                                                          #<br>
                                                          #    This
                                                          option is not
                                                          recommended by
                                                          the Squid
                                                          Team.<br>
                                                          #    Our
                                                          preference is
                                                          for
                                                          administrators
                                                          to configure a
                                                          secure<br>
                                                          #    user
                                                          account for
                                                          squid with
                                                          UID/GID
                                                          matching
                                                          system
                                                          policies.<br>
                                                          #Default:<br>
                                                          # Use system
                                                          group
                                                          memberships of
                                                          the
                                                          cache_effective_user
                                                          account<br>
                                                          </p>
                                                          <p>As
                                                          documented. :)</p>
                                                          <p>AFAIK best
                                                          solution is
                                                          create
                                                          non-privileged
                                                          group &
                                                          user (like
                                                          squid/squid)
                                                          and set both
                                                          this
                                                          parameters
                                                          explicity.</p>
                                                          <p>Then change
                                                          owner
                                                          recursively on
                                                          SSL cache to
                                                          this user.<br>
                                                          </p>
                                                          <br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
                                                          0:36, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">Neither
                                                          of those
                                                          values are set
                                                          in my config.
                                                          Even though
                                                          I'm not using
                                                          squid for
                                                          caching, I
                                                          need those
                                                          values? They
                                                          aren't set in
                                                          the default
                                                          configs
                                                          either.<br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:33
                                                          PM, Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div
                                                          text="#000000"
bgcolor="#FFFFFF">
                                                          <p>Most
                                                          probably you
                                                          squid runs as
                                                          another user
                                                          than squid.</p>
                                                          <p>Check your
                                                          squid.conf for
cache_effective_user and cache_effective_group values.</p>
                                                          <p>Then change
                                                          SSL cache
                                                          permissions to
                                                          this values.
                                                          Should work.<br>
                                                          </p>
                                                          <br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
                                                          0:30, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">
                                                          <div>Thanks
                                                          for the
                                                          feedback! I
                                                          just used yum
                                                          (it's a CentOS
                                                          7 VB) and it
                                                          set it up like
                                                          that. I
                                                          changed the
                                                          owner and
                                                          group to
                                                          squid:squid
                                                          and tried
                                                          restarting
                                                          squid, but
                                                          still get the
                                                          same errors. I
                                                          thought to run
                                                          the command
                                                          again, but
                                                          this time it
                                                          says<br>
                                                          <br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
                                                          <br>
                                                          </div>
                                                          If this folder
                                                          has incorrect
                                                          permissions
                                                          are there
                                                          possibly other
                                                          permission
                                                          issues?<br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:25
                                                          PM, Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div
                                                          text="#000000"
bgcolor="#FFFFFF">
                                                          <p>Here you
                                                          root of
                                                          problem.</p>
                                                          <p>Should be
                                                          (on my
                                                          setups):</p>
                                                          <p># ls -al
                                                          /var/lib/ssl_db<br>
                                                          total 326<br>
                                                          drwxr-xr-x 3
                                                          squid
                                                          squid      5
                                                          Sep  5 00:53 .<br>
                                                          drwxr-xr-x 8
                                                          root 
                                                          other      8
                                                          Sep  5 00:53
                                                          ..<br>
                                                          drwxr-xr-x 2
                                                          squid squid   
                                                          454 Sep 11
                                                          23:37 certs<br>
                                                          -rw-r--r-- 1
                                                          squid squid
                                                          280575 Sep 11
                                                          23:37
                                                          index.txt<br>
                                                          -rw-r--r-- 1
                                                          squid
                                                          squid      7
                                                          Sep 11 23:37
                                                          size<br>
                                                          </p>
                                                          <p>I.e. Squid
                                                          has no access
                                                          to SSL cache
                                                          dir
                                                          structures. <br>
                                                          </p>
                                                          <br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
                                                          0:23, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">total
                                                          8<br>
                                                          drwxr-xr-x.  3
                                                          root root   48
                                                          Sep 11 12:42 .<br>
                                                          drwxr-xr-x. 32
                                                          root root 4096
                                                          Sep 11 12:42
                                                          ..<br>
                                                          drwxr-xr-x.  2
                                                          root root    6
                                                          Sep 11 12:42
                                                          certs<br>
                                                          -rw-r--r--.  1
                                                          root root    0
                                                          Sep 11 12:42
                                                          index.txt<br>
                                                          -rw-r--r--.  1
                                                          root root    1
                                                          Sep 11 12:42
                                                          size<br>
                                                          <br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:22
                                                          PM, Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div
                                                          text="#000000"
bgcolor="#FFFFFF">
                                                          <p>Show output
                                                          of <br>
                                                          </p>
                                                          <p>ls -al
                                                          /var/lib/ssl_db</p>
                                                          <br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
                                                          0:21, Rohit
                                                          Sodhia пишет:<br>
                                                          </div>
                                                          <div>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">Yes,
                                                          but telling me
                                                          it's crashing
                                                          unfortunately
                                                          doesn't help
                                                          me figure out
                                                          why or how to
                                                          fix it. I've
                                                          run the
                                                          command it
                                                          suggests but
                                                          it doesn't
                                                          help. I'm
                                                          unfortunately
                                                          not an ops guy
                                                          familiar with
                                                          this kind of
                                                          stuff; I don't
                                                          see anything
                                                          on how to
                                                          figure out
                                                          what to do
                                                          about it.<br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Sep 11,
                                                          2017 at 2:17
                                                          PM, Yuri <span
                                                          dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
                                                          tells you
                                                          what's
                                                          happens.<br>
                                                          <br>
                                                          <br>
                                                          11.09.2017
                                                          23:50, Rohit
                                                          Sodhia пишет:<br>
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
                                                          <div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
                                                          (ssl_crtd):
                                                          Uninitialized
                                                          SSL
                                                          certificate
                                                          database
                                                          directory:<br>
                                                          >
                                                          /var/lib/ssl_db.
                                                          To initialize,
                                                          run "ssl_crtd
                                                          -c -s
                                                          /var/lib/ssl_db".<br>
                                                          <br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <br>
______________________________<wbr>_________________<br>
                                                          squid-users
                                                          mailing list<br>
                                                          <a
                                                          href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true">squid-users@lists.squid-cache.<wbr>org</a><br>
                                                          <a
                                                          href="http://lists.squid-cache.org/listinfo/squid-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </blockquote>
                                                      </div>
                                                      <br>
                                                    </div>
                                                  </blockquote>
                                                  <br>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>