<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Everything happens once for the first time;)<br>
</p>
<br>
<div class="moz-cite-prefix">12.09.2017 2:18, Rohit Sodhia пишет:<br>
</div>
<blockquote type="cite"
cite="mid:CAN1w9tfQt3Mivwpyo+u3Qp0agQ8pOgz2MGo2Wvb5AdGU3zbkjw@mail.gmail.com">
<div dir="ltr">Ok. Looks like 3.5.20 is the latest on the yum repo
I'm using, so guess I'll have to learn how to compile it myself;
never compiled a package before.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 4:17 PM, Yuri <span
dir="ltr"><<a href="mailto:yvoinov@gmail.com"
target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hardly,<br>
<br>
most probably something in repo's package. However,
upgrade is always recommended, especially with modern
functionality. It changes fast enough.<br>
<br>
<div class="m_-469225490075285610moz-cite-prefix">12.09.2017
2:15, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Ah. I'm on 3.5.20; not sure how far
back that is. Is that the core of the problem?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at
4:07 PM, Yuri <span dir="ltr"><<a
href="mailto:yvoinov@gmail.com"
target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Seems latest 4.0.21 is good enough. Most
critical SSL-related bugs almost closed or
closed.</p>
<p>At least latest 3.5.27 is released. AFAIK
this is minimum to problem-free running.</p>
<p>Repositories software sometimes has
strange quirks, or sometimes rancid.<br>
</p>
12.09.2017 2:05, Rohit Sodhia пишет:
<div>
<div class="m_-469225490075285610h5"><br>
<blockquote type="cite">
<div dir="ltr">I'll try to find it,
but I read a few articles/SO
questions that suggested there were
bugs in 4 relating to SSL bumping?
If they were wrong, I'd be glad to
go forward. Should I be removing the
yum squid package and compile my
own? Is 3.5 problematic besides
being old?<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon,
Sep 11, 2017 at 4:02 PM, Yuri
<span dir="ltr"><<a
href="mailto:yvoinov@gmail.com"
target="_blank"
moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<p>Wait. Squid 3.5.20? So
ancient?<br>
</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004moz-cite-prefix">12.09.2017
1:58, Rohit Sodhia
пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905h5">
<blockquote
type="cite">
<div dir="ltr">
<div>
<div>sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB<br>
</div>
<br>
</div>
I used the line
from the Stack
Overflow question
I linked earlier.<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 3:41 PM,
Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>Well. Let's
check more
deep.</p>
<p>Show me
parameter
sslcrtd_program
in your
squid.conf<br>
</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700moz-cite-prefix">12.09.2017
1:23, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004h5">
<blockquote
type="cite">
<div dir="ltr">
<div>
<div>Unfortunately,
no luck yet.
Thank you
again for your
help before.<br>
<br>
</div>
I found that
the user squid
and group
squid existed
already, so I
added<br>
<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
to my config
(first two
lines), made
sure
/var/lib/ssl_db
and it's
contents were
set to
squid:squid
and restarted
the service,
but I'm still
getting the
same error :(<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:42
PM, Rohit
Sodhia <span
dir="ltr"><<a
href="mailto:sodhia.rohit@gmail.com" target="_blank"
moz-do-not-send="true">sodhia.rohit@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'll
try that
immediately,
thanks! I
appreciate all
your advice;
hopefully I
won't have to
reach out
again :p<br>
</div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700HOEnZb">
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700h5">
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:39
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>I'm not
Linux fanboy,
but modern
squid never
runs as root.
So, most
probably it
runs as nobody
user.</p>
<p>Ah, yes:</p>
<p># TAG:
cache_effective_user<br>
# If you
start Squid as
root, it will
change its
effective/real<br>
# UID/GID
to the user
specified
below. The
default is to
change<br>
# to UID of
nobody.<br>
# see also;
cache_effective_group<br>
#Default:<br>
#
cache_effective_user
nobody<br>
<br>
# TAG:
cache_effective_group<br>
# Squid
sets the GID
to the
effective
user's default
group ID<br>
# (taken
from the
password file)
and
supplementary
group list<br>
# from the
groups
membership.<br>
#<br>
# If you
want Squid to
run with a
specific GID
regardless of<br>
# the group
memberships of
the effective
user then set
this<br>
# to the
group (or GID)
you want Squid
to run as.
When set<br>
# all other
group
privileges of
the effective
user are
ignored<br>
# and only
this GID is
effective. If
Squid is not
started as<br>
# root the
user starting
Squid MUST be
member of the
specified<br>
# group.<br>
#<br>
# This
option is not
recommended by
the Squid
Team.<br>
# Our
preference is
for
administrators
to configure a
secure<br>
# user
account for
squid with
UID/GID
matching
system
policies.<br>
#Default:<br>
# Use system
group
memberships of
the
cache_effective_user
account<br>
</p>
<p>As
documented. :)</p>
<p>AFAIK best
solution is
create
non-privileged
group &
user (like
squid/squid)
and set both
this
parameters
explicity.</p>
<p>Then change
owner
recursively on
SSL cache to
this user.<br>
</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
0:36, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590h5">
<blockquote
type="cite">
<div dir="ltr">Neither
of those
values are set
in my config.
Even though
I'm not using
squid for
caching, I
need those
values? They
aren't set in
the default
configs
either.<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:33
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>Most
probably you
squid runs as
another user
than squid.</p>
<p>Check your
squid.conf for
cache_effective_user and cache_effective_group values.</p>
<p>Then change
SSL cache
permissions to
this values.
Should work.<br>
</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
0:30, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972h5">
<blockquote
type="cite">
<div dir="ltr">
<div>Thanks
for the
feedback! I
just used yum
(it's a CentOS
7 VB) and it
set it up like
that. I
changed the
owner and
group to
squid:squid
and tried
restarting
squid, but
still get the
same errors. I
thought to run
the command
again, but
this time it
says<br>
<br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
<br>
</div>
If this folder
has incorrect
permissions
are there
possibly other
permission
issues?<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:25
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>Here you
root of
problem.</p>
<p>Should be
(on my
setups):</p>
<p># ls -al
/var/lib/ssl_db<br>
total 326<br>
drwxr-xr-x 3
squid
squid 5
Sep 5 00:53 .<br>
drwxr-xr-x 8
root
other 8
Sep 5 00:53
..<br>
drwxr-xr-x 2
squid squid
454 Sep 11
23:37 certs<br>
-rw-r--r-- 1
squid squid
280575 Sep 11
23:37
index.txt<br>
-rw-r--r-- 1
squid
squid 7
Sep 11 23:37
size<br>
</p>
<p>I.e. Squid
has no access
to SSL cache
dir
structures. <br>
</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
0:23, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
<blockquote
type="cite">
<div dir="ltr">total
8<br>
drwxr-xr-x. 3
root root 48
Sep 11 12:42 .<br>
drwxr-xr-x. 32
root root 4096
Sep 11 12:42
..<br>
drwxr-xr-x. 2
root root 6
Sep 11 12:42
certs<br>
-rw-r--r--. 1
root root 0
Sep 11 12:42
index.txt<br>
-rw-r--r--. 1
root root 1
Sep 11 12:42
size<br>
<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:22
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>Show output
of <br>
</p>
<p>ls -al
/var/lib/ssl_db</p>
<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
0:21, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
<blockquote
type="cite">
<div dir="ltr">Yes,
but telling me
it's crashing
unfortunately
doesn't help
me figure out
why or how to
fix it. I've
run the
command it
suggests but
it doesn't
help. I'm
unfortunately
not an ops guy
familiar with
this kind of
stuff; I don't
see anything
on how to
figure out
what to do
about it.<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:17
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
tells you
what's
happens.<br>
<br>
<br>
11.09.2017
23:50, Rohit
Sodhia пишет:<br>
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
<div
class="m_-469225490075285610m_-2418983803487464905m_-6916847273826587004m_478221293728653700m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
(ssl_crtd):
Uninitialized
SSL
certificate
database
directory:<br>
>
/var/lib/ssl_db.
To initialize,
run "ssl_crtd
-c -s
/var/lib/ssl_db".<br>
<br>
<br>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
squid-users
mailing list<br>
<a
href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true">squid-users@lists.squid-cache.<wbr>org</a><br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>