<div dir="ltr"><div class="gmail-iw gmail-ajw"><span class="gmail-hb"><span name="Ralf.Hildebrandt" class="gmail-g2">Ralf.Hildebrandt wrote </span></span>to <b>Bud Miljkovic</b> <<a href="mailto:bud_miljkovic@trimble.com" target="_blank">bud_miljkovic@trimble.com</a>>:<br>
<br>
> # Intercept transparent HTTPS traffic<br>
> https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem<br>
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
> ssl_bump splice all<br>
> sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB<br>
<br>
^ I think the portion above is relevant for this error<br>
<br>
> 2023/09/29 15:02:52| helperOpenServers: Starting 5/32 'ssl_crtd' processes<br>
...<br>
> 2023/09/29 15:02:52| Accepting NAT intercepted SSL bumped HTTPS
Socket connections at local=[::]:3129 remote=[::] FD 29 flags=41<br>
> 2023/09/29 15:02:52| WARNING: ssl_crtd #Hlpr1 exited<br>
> 2023/09/29 15:02:52| Too few ssl_crtd processes are running (need 1/32)<br>
> 2023/09/29 15:02:52| Closing HTTP port [::]:3128<br>
> 2023/09/29 15:02:52| Closing HTTPS port [::]:3129<br>
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!<br>
<br>
I assume the "sslcrtd_program" (set to "/usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB")<br>
is indeed not starting up (or crashing immediately after).<br>
<br><div>
* What does "dmesg" report? <b>>>> </b><i>Could not get anything relevant!</i><br></div><div><br></div>
* What happens if you invoke "/usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB"<br><div>
by hand (as the squid user, I guess)</div><div><b>>>> </b>(1) Executing manually: </div><div style="margin-left:40px">r2:/# /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB<br>/usr/libexec/ssl_crtd:
Uninitialized SSL certificate database directory: /var/lib/ssl_db. To
initialize, run "ssl_crtd -c -s /var/lib/ssl_db".</div><div>
<i>Where:</i></div><div style="margin-left:40px">r2:/# ls -l /usr/libexec/ssl_crtd <br>-rwxr-xr-x 1 root root 63884 Sep 27 23:06 /usr/libexec/ssl_crtd</div><div style="margin-left:40px"><br></div><div><div>
<i>I do not quite get "To initialize, run "ssl_crtd -c -s /var/lib/ssl_db":?<br></i></div><div><i>I am executing all this manually as the root user.<br></i></div><div><i>When I do:</i></div><div style="margin-left:40px">r2:/# cd /usr/libexec/<br>r2:/usr/libexec# ls -l ssl_crtd <br>-rwxr-xr-x 1 root root 63884 Sep 27 23:06 ssl_crtd</div><i>However, when I try to run this:</i></div><div style="margin-left:40px">r2:/usr/libexec# ssl_crtd -c -s /var/lib/ssl_db<br>-sh: ssl_crtd: command not found <b>>>></b> <i>?!</i><br></div><div><i>I.e. ssl_crtd is not executable from its directory and it is owned by the root<br></i></div><div><i>This is very confusing to me?!</i></div><div><i><br></i></div><div><i>Also, with another level of debugging it can be seen that:</i></div><div>```<br>........<br>2023/09/30 14:16:31.899| Initializing https_port [::]:3129 SSL context<br>2023/09/30 14:16:31.899| Using certificate in /etc/squid/ssl_cert/myCA.pem<br>2023/09/30
14:16:31.905| 83,5| 25/src/ssl/support.cc(1962)
readSslX509CertificatesChain: Certificate is self-signed, will not be
chained<br>2023/09/30 14:16:31.962| 83,5| 25/src/ssl/support.cc(1628) contextMethod: Using SSLv2/SSLv3.<br>2023/09/30 14:16:31.964| 83,9| 25/src/ssl/support.cc(903) configureSslContext: Setting RSA key generation callback.<br>2023/09/30 14:16:31.965| 83,9| 25/src/ssl/support.cc(916) configureSslContext: Setting CA certificate locations.<br>2023/09/30 14:16:31.966| 83,9| 25/src/ssl/support.cc(965) configureSslContext: Not requiring any client certificates<br>2023/09/30 14:16:31.967| 21,3| src/tools.cc(543) leave_suid: leave_suid: PID 3917 called<br>2023/09/30
14:16:31.968| 21,3| src/tools.cc(565) leave_suid: leave_suid: PID 3917
giving up root, becoming 'squid' <<<< <b>CHANGE OF USER NAME to SQUID</b><br>2023/09/30 14:16:31.970| 0,9| src/debug.cc(408) parseOptions: command-line -X overrides: ALL,1<br>2023/09/30 14:16:31.983| Current Directory is /<br>2023/09/30 14:16:31.985| Starting Squid Cache version 3.5.25 for arm-poky-linux-gnueabi...<br>2023/09/30 14:16:31.985| Service Name: squid<br>2023/09/30 14:16:31.985| Process ID 3917<br>2023/09/30 14:16:31.985| Process Roles: master worker<br>2023/09/30 14:16:31.985| With 1024 file descriptors available<br><br>2023/09/30 14:16:31.985| Initializing IP Cache...<br>2023/09/30 14:16:31.993| DNS Socket created at [::], FD 8<br>2023/09/30 14:16:31.994| DNS Socket created at 0.0.0.0, FD 9<br>2023/09/30 14:16:31.995| Adding nameserver 127.0.0.1 from /etc/resolv.conf<br>2023/09/30 14:16:31.997| helperOpenServers: Starting 5/32 'ssl_crtd' processes<br>2023/09/30 14:16:32.175| Logfile: opening log daemon:/var/log/squid/access.log<br>2023/09/30 14:16:32.176| Logfile Daemon: opening log /var/log/squid/access.log<br>2023/09/30 14:16:32.457| Unlinkd pipe opened on FD 26<br>2023/09/30 14:16:32.470| Store logging disabled<br>2023/09/30 14:16:32.471| Swap maxSize 102400 + 262144 KB, estimated 28041 objects<br>2023/09/30 14:16:32.471| Target number of buckets: 1402<br>2023/09/30 14:16:32.471| Using 8192 Store buckets<br>2023/09/30 14:16:32.471| Max Mem size: 262144 KB<br>2023/09/30 14:16:32.471| Max Swap size: 102400 KB<br>2023/09/30 14:16:32.477| Rebuilding storage in /var/volatile/log/squid/logs (no log)<br>2023/09/30 14:16:32.478| Using Least Load store dir selection<br>2023/09/30 14:16:32.480| Current Directory is /<br>2023/09/30 14:16:33.121| Finished loading MIME types and icons.<br>2023/09/30 14:16:33.126| HTCP Disabled.<br>2023/09/30 14:16:33.131| Squid plugin modules loaded: 0<br>2023/09/30 14:16:33.132| Adaptation support is off.<br>2023/09/30 14:16:33.136| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 28 flags=9<br>2023/09/30
14:16:33.138| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=[::]:3129 remote=[::] FD 29 flags=41<br><br>2023/09/30 14:16:33.197| WARNING: ssl_crtd #Hlpr1 exited<br>2023/09/30 14:16:33.197| Too few ssl_crtd processes are running (need 1/32)<br>2023/09/30 14:16:33.197| Closing HTTP port [::]:3128<br>2023/09/30 14:16:33.201| Closing HTTPS port [::]:3129<br>FATAL: The ssl_crtd helpers are crashing too rapidly, need help!</div><div><br></div><div><i>Can you shed some light on all this?<br></i></div><div><div><div style="margin-left:40px"><i><br></i></div><div><i>Buda</i></div> <br><div><div dir="ltr" class="gmail_signature"><div dir="ltr">11-17 Birmingham Drive, Christchurch, Canterbury, 8024<br>New Zealand<br>+64 3 963-5550 Direct<br>+64 21 419-024 Mobile<br><br><a href="http://www.trimble.com" target="_blank">www.trimble.com</a><br></div></div></div></div></div></div><div class="gmail-iw gmail-ajw"><span class="gmail-hb"><span name="Ralf.Hildebrandt" class="gmail-g2"><br></span> </span></div><div id="gmail-:63g" aria-haspopup="true" class="gmail-ajy" role="button" tabindex="0" aria-label="Show details"><img class="gmail-ajz" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt=""></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Budimir Miljković BSc E | He<br>Senior Development Engineer<br>Civil Construction Field Systems<br>Trimble<br> <br>11-17 Birmingham Drive, Christchurch, Canterbury, 8024<br>New Zealand<br>+64 3 963-5550 Direct<br>+64 21 419-024 Mobile<br><br><a href="http://www.trimble.com" target="_blank">www.trimble.com</a><br><br>This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.</div></div></div>