<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div>We are using squid for both http and https whitelisting for egress. Most of the whitelisting works fine but some specific once do not work.</div>
<div>We have tried this on this versions of squid 3.5(amazon linux 2), 4.1(centos7) and 4.4(centos8).<br>
</div>
<div>For instance when running yum update for redhat linux in aws from a server using squid for egress it fails:</div>
<div><br>
</div>
<div><span>ec2-user]# yum update -v<br>
</span>
<div><b><span style="color: rgb(200, 38, 19);">Failed to set locale, defaulting to C</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">Loaded plugins: AmazonID, builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync,
uploadprofile</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">DNF version: 4.0.9</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">cachedir: /var/cache/dnf</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">repo: downloading from remote: rhui-client-config-server-8</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os [SSL certificate
problem: self signed certificate in certificate chain] (https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os).</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">Red Hat Update Infrastructure 3 Client Configuration Server 8 0.0 B/s | 0 B 00:01 </span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">Cannot download 'https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated
with given CA certificates for https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os [SSL certificate problem: self signed certificate in certificate chain].</span><br>
</b></div>
<div><b><span style="color: rgb(200, 38, 19);">Error: Failed to synchronize cache for repo 'rhui-client-config-server-8'</span></b></div>
<div><span style="color: rgb(200, 38, 19);"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);">If I run curl against this URL:</span></div>
<div><span style="color: rgb(0, 0, 0);"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><span>ec2-user]# curl -v https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os<br>
</span>
<div><b><span style="color: rgb(179, 106, 226);">* Trying 13.53.105.186...</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* TCP_NODELAY set</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* Connected to rhui3.eu-north-1.aws.ce.redhat.com (13.53.105.186) port 443 (#0)</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* ALPN, offering h2</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* ALPN, offering http/1.1</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* successfully set certificate verify locations:</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* CAfile: /etc/pki/tls/certs/ca-bundle.crt</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);"> CApath: none</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* TLSv1.3 (OUT), TLS handshake, Client hello (1):</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* TLSv1.3 (IN), TLS handshake, Server hello (2):</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* TLSv1.2 (IN), TLS handshake, Certificate (11):</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* TLSv1.2 (OUT), TLS alert, unknown CA (560):</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* SSL certificate problem: self signed certificate in certificate chain</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">* Closing connection 0</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">curl: (60) SSL certificate problem: self signed certificate in certificate chain</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">More details here: https://curl.haxx.se/docs/sslcerts.html</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">curl failed to verify the legitimacy of the server and therefore could not</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">establish a secure connection to it. To learn more about this situation and</span><br>
</b></div>
<div><b><span style="color: rgb(179, 106, 226);">how to fix it, please visit the web page mentioned above.</span></b></div>
<div><b><span style="color: rgb(179, 106, 226);"><br>
</span></b></div>
<div>Curl against https://www.redhat.com works fine.<b><span style="color: rgb(179, 106, 226);"><br>
</span></b></div>
<div><b><span style="color: rgb(179, 106, 226);"><br>
</span></b></div>
<div><b><span style="color: rgb(179, 106, 226);"><span style="color: rgb(12, 100, 192);">ec2-user]# curl -v https://www.redhat.com</span><span><br>
</span>
<div><span style="color: rgb(12, 100, 192);">* Rebuilt URL to: https://www.redhat.com/</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Trying 23.52.28.149...</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TCP_NODELAY set</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Connected to www.redhat.com (23.52.28.149) port 443 (#0)</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* ALPN, offering h2</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* ALPN, offering http/1.1</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* successfully set certificate verify locations:</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* CAfile: /etc/pki/tls/certs/ca-bundle.crt</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);"> CApath: none</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.3 (OUT), TLS handshake, Client hello (1):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.3 (IN), TLS handshake, Server hello (2):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (IN), TLS handshake, Certificate (11):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (IN), TLS handshake, Server key exchange (12):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (IN), TLS handshake, Server finished (14):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (OUT), TLS handshake, Finished (20):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* TLSv1.2 (IN), TLS handshake, Finished (20):</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* ALPN, server accepted to use h2</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Server certificate:</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; OU=IT; CN=www.redhat.com</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* start date: Mar 21 00:00:00 2018 GMT</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* expire date: Mar 20 12:00:00 2020 GMT</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com"</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* SSL certificate verify ok.</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Using HTTP2, server supports multi-use</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Connection state changed (HTTP/2 confirmed)</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Using Stream ID: 1 (easy handle 0x56153e589630)</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">> GET / HTTP/2</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">> Host: www.redhat.com</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">> User-Agent: curl/7.61.1</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">> Accept: */*</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">> </span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< HTTP/2 301 </span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< server: AkamaiGHost</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< content-length: 0</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< location: https://www.redhat.com/en</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< date: Thu, 21 Nov 2019 08:47:55 GMT</span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">< </span><br>
</div>
<div><span style="color: rgb(12, 100, 192);">* Connection #0 to host www.redhat.com left intact</span><br>
</div>
<br>
</span></b></div>
<div><b><span style="color: rgb(0, 0, 0);"></span></b>My squid.conf looks like this:</div>
<div><br>
</div>
<div><b><span style="color: rgb(12, 136, 42);">visible_hostname localhost</span><span><br>
</span></b>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);"># Handling HTTP requests</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">http_port 3128</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">http_port 3129 intercept</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_http_sites dstdomain .microsoft.com</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_http_sites dstdomain .google.com</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_http_sites dstdomain .redhat.com</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">http_access allow allowed_http_sites</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);"># Handling HTTPS requests</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl SSL_port port 443</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">http_access allow SSL_port</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_https_sites ssl::server_name .microsoft.com</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_https_sites ssl::server_name .google.com</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl allowed_https_sites ssl::server_name .redhat.com</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl step1 at_step SslBump1</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl step2 at_step SslBump2</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">acl step3 at_step SslBump3</span><br>
</b></div>
<div><b><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">ssl_bump peek step1 all</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">ssl_bump peek step2 allowed_https_sites</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">ssl_bump splice step3 allowed_https_sites</span><br>
</b></div>
<div><b><span style="color: rgb(12, 136, 42);">ssl_bump terminate</span><br>
</b></div>
<div><b><br>
</b></div>
<b><span style="color: rgb(12, 136, 42);">http_access deny all</span></b><br>
</div>
<span></span><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><b>I assume this is related to that there is no certificate for this subdomain or similar? Is there a way to ignore this for ".redhat.com" or get yum update to work anyway?</b><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);">// Nick<br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0);"><br>
</span></div>
<div><span style="color: rgb(200, 38, 19);"><br>
</span></div>
<div><span style="color: rgb(200, 38, 19);"></span><br>
</div>
<span></span><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
</body>
</html>