<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Well. Let's check more deep.</p>
<p>Show me parameter sslcrtd_program in your squid.conf<br>
</p>
<br>
<div class="moz-cite-prefix">12.09.2017 1:23, Rohit Sodhia пишет:<br>
</div>
<blockquote type="cite"
cite="mid:CAN1w9tcuVmZnQV+4aj=ZXD=rwBeOUUaHq7xOJkoGurGeq-=nwQ@mail.gmail.com">
<div dir="ltr">
<div>
<div>Unfortunately, no luck yet. Thank you again for your help
before.<br>
<br>
</div>
I found that the user squid and group squid existed already,
so I added<br>
<br>
cache_effective_user squid<br>
cache_effective_group squid<br>
<br>
</div>
to my config (first two lines), made sure /var/lib/ssl_db and
it's contents were set to squid:squid and restarted the service,
but I'm still getting the same error :(<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 2:42 PM, Rohit
Sodhia <span dir="ltr"><<a
href="mailto:sodhia.rohit@gmail.com" target="_blank"
moz-do-not-send="true">sodhia.rohit@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'll try that immediately, thanks! I
appreciate all your advice; hopefully I won't have to
reach out again :p<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11, 2017 at 2:39
PM, Yuri <span dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank"
moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I'm not Linux fanboy, but modern squid never
runs as root. So, most probably it runs as
nobody user.</p>
<p>Ah, yes:</p>
<p># TAG: cache_effective_user<br>
# If you start Squid as root, it will
change its effective/real<br>
# UID/GID to the user specified below. The
default is to change<br>
# to UID of nobody.<br>
# see also; cache_effective_group<br>
#Default:<br>
# cache_effective_user nobody<br>
<br>
# TAG: cache_effective_group<br>
# Squid sets the GID to the effective
user's default group ID<br>
# (taken from the password file) and
supplementary group list<br>
# from the groups membership.<br>
#<br>
# If you want Squid to run with a specific
GID regardless of<br>
# the group memberships of the effective
user then set this<br>
# to the group (or GID) you want Squid to
run as. When set<br>
# all other group privileges of the
effective user are ignored<br>
# and only this GID is effective. If Squid
is not started as<br>
# root the user starting Squid MUST be
member of the specified<br>
# group.<br>
#<br>
# This option is not recommended by the
Squid Team.<br>
# Our preference is for administrators to
configure a secure<br>
# user account for squid with UID/GID
matching system policies.<br>
#Default:<br>
# Use system group memberships of the
cache_effective_user account<br>
</p>
<p>As documented. :)</p>
<p>AFAIK best solution is create non-privileged
group & user (like squid/squid) and set
both this parameters explicity.</p>
<p>Then change owner recursively on SSL cache to
this user.<br>
</p>
<br>
<div
class="m_-1180743849463029590m_79739255208442972moz-cite-prefix">12.09.2017
0:36, Rohit Sodhia пишет:<br>
</div>
<div>
<div class="m_-1180743849463029590h5">
<blockquote type="cite">
<div dir="ltr">Neither of those values are
set in my config. Even though I'm not
using squid for caching, I need those
values? They aren't set in the default
configs either.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 11,
2017 at 2:33 PM, Yuri <span dir="ltr"><<a
href="mailto:yvoinov@gmail.com"
target="_blank"
moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<p>Most probably you squid runs as
another user than squid.</p>
<p>Check your squid.conf for
cache_effective_user and
cache_effective_group values.</p>
<p>Then change SSL cache
permissions to this values.
Should work.<br>
</p>
<br>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659moz-cite-prefix">12.09.2017
0:30, Rohit Sodhia пишет:<br>
</div>
<div>
<div
class="m_-1180743849463029590m_79739255208442972h5">
<blockquote type="cite">
<div dir="ltr">
<div>Thanks for the
feedback! I just used
yum (it's a CentOS 7 VB)
and it set it up like
that. I changed the
owner and group to
squid:squid and tried
restarting squid, but
still get the same
errors. I thought to run
the command again, but
this time it says<br>
<br>
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db<br>
<br>
</div>
If this folder has
incorrect permissions are
there possibly other
permission issues?<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 11, 2017 at
2:25 PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com"
target="_blank"
moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<p>Here you root of
problem.</p>
<p>Should be (on my
setups):</p>
<p># ls -al
/var/lib/ssl_db<br>
total 326<br>
drwxr-xr-x 3 squid
squid 5 Sep
5 00:53 .<br>
drwxr-xr-x 8 root
other 8 Sep
5 00:53 ..<br>
drwxr-xr-x 2 squid
squid 454 Sep
11 23:37 certs<br>
-rw-r--r-- 1 squid
squid 280575 Sep
11 23:37 index.txt<br>
-rw-r--r-- 1 squid
squid 7 Sep
11 23:37 size<br>
</p>
<p>I.e. Squid has no
access to SSL
cache dir
structures. <br>
</p>
<br>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566moz-cite-prefix">12.09.2017
0:23, Rohit Sodhia
пишет:<br>
</div>
<div>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659h5">
<blockquote
type="cite">
<div dir="ltr">total
8<br>
drwxr-xr-x. 3
root root 48
Sep 11 12:42 .<br>
drwxr-xr-x. 32
root root 4096
Sep 11 12:42
..<br>
drwxr-xr-x. 2
root root 6
Sep 11 12:42
certs<br>
-rw-r--r--. 1
root root 0
Sep 11 12:42
index.txt<br>
-rw-r--r--. 1
root root 1
Sep 11 12:42
size<br>
<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:22
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
<p>Show output
of <br>
</p>
<p>ls -al
/var/lib/ssl_db</p>
<br>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387moz-cite-prefix">12.09.2017
0:21, Rohit
Sodhia пишет:<br>
</div>
<div>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566h5">
<blockquote
type="cite">
<div dir="ltr">Yes,
but telling me
it's crashing
unfortunately
doesn't help
me figure out
why or how to
fix it. I've
run the
command it
suggests but
it doesn't
help. I'm
unfortunately
not an ops guy
familiar with
this kind of
stuff; I don't
see anything
on how to
figure out
what to do
about it.<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Sep 11,
2017 at 2:17
PM, Yuri <span
dir="ltr"><<a
href="mailto:yvoinov@gmail.com" target="_blank" moz-do-not-send="true">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It
tells you
what's
happens.<br>
<br>
<br>
11.09.2017
23:50, Rohit
Sodhia пишет:<br>
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387HOEnZb">
<div
class="m_-1180743849463029590m_79739255208442972m_7407759860043048659m_8619755247267626566m_551260681713239387h5">>
(ssl_crtd):
Uninitialized
SSL
certificate
database
directory:<br>
>
/var/lib/ssl_db.
To initialize,
run "ssl_crtd
-c -s
/var/lib/ssl_db".<br>
<br>
<br>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
squid-users
mailing list<br>
<a
href="mailto:squid-users@lists.squid-cache.org"
target="_blank" moz-do-not-send="true">squid-users@lists.squid-cache.<wbr>org</a><br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>