<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Alex,<div class="">Thanks for the help. Comments inline.</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 13, 2021, at 2:23 PM, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" class="">rousskov@measurement-factory.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 1/13/21 4:33 PM, Greg Hulands wrote:<br class=""><br class=""><blockquote type="cite" class="">I am setting up squid 5.0.3 and during testing I have found some <br class="">websites fail to have their certificates generated correctly. I am<br class="">able to go to sites like <a href="http://YouTube.com" class="">YouTube.com</a> and have the certificates for<br class="">that be generated correctly, but when I try to go to some others,<br class="">like <a href="http://arstechnica.com" class="">arstechnica.com</a>, they fail to generate and return the CA cert<br class="">that squid is using to sign certificates with.<br class=""></blockquote><br class="">Just to double check: Are you sure that the certificate the client gets<br class="">is the configured CA certificate? For example, do the two certificates<br class="">have the same fingerprint?<br class=""></div></div></blockquote><div><br class=""></div><div>Yes, I verified it’s the same certificate - fingerprints are a match.</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><blockquote type="cite" class="">I turned the logging up on certificate stuff to 5 and have the cache log<br class="">from trying to make a request<br class="">here: <a href="https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb" class="">https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb</a><br class=""></blockquote><br class="">The posted snippet shows successful TLS negotiation with the origin<br class="">server (FD 23) and a subsequently failed negotiation with the client (FD<br class="">21). The latter may have failed because the client did not like the<br class="">certificate generated by Squid, but I did not check the exact failure<br class="">reason carefully.<br class=""><br class="">The snippet has no information about Squid sending the (generated)<br class="">certificates to the client, but Squid appears to receive some generated<br class="">certificate from the helper (crtGenRq3180846).<br class=""><br class="">* If you are sure that the client gets a wrong certificate from Squid,<br class="">then I recommend posting an ALL,9 log of the problematic transaction.<br class="">With some luck, we may be able to see what went wrong with certificate<br class="">generation (or virgin certificate validation??).<br class=""></div></div></blockquote><div><br class=""></div><div>I have put the ALL,9 log here <a href="https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914" class="">https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914</a></div><div><br class=""></div><div>I can see it generates the certificate correctly, but couldn’t identify why it didn’t return the cert to the client.</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class="">* Otherwise, I recommend double checking what certificate the client<br class="">gets. If the client gets the correct generated certificate, then the<br class="">problem is not in certificate validation or generation.<br class=""><br class="">Posting the certificate that the client actually gets may help a lot<br class="">with the triage as well.<br class=""></div></div></blockquote><div><br class=""></div>The certificate that gets returned is in the logs as it’s the CA cert.</div><div><br class=""></div><div>Thanks,</div><div>Greg</div><div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><br class="">HTH,<br class=""><br class="">Alex.<br class=""></div></div></blockquote></div><br class=""></div></body></html>