[squid-users] ssl proxy error: No valid signing SSL certificate configured for https_port [::]:3127
Alan Palmer
alanpalmer72 at yahoo.com
Mon Feb 16 16:16:21 UTC 2015
Tried the two links provided, still no luck.
details:
squid -v
Squid Cache: Version 3.4.11
configure options: '--disable-strict-error-checking'
'--disable-arch-native' '--enable-shared'
'--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-follow-x-forwarded-for' '--enable-forw-via-db'
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
'--enable-referer-log' '--enable-removal-policies=lru heap'
'--enable-ssl' '--with-openssl' '--enable-storeio=aufs ufs diskd'
'--with-default-user=_squid' '--with-filedescriptors=8192'
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid'
'--with-pthreads' '--with-swapdir=/var/squid/cache'
'--disable-pf-transparent' '--enable-ipfw-transparent'
'--enable-external-acl-helpers=LDAP_group SQL_session file_userip
time_quota session unix_group wbinfo_group LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc'
'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'
'--enable-ssl-crtd' --enable-ltdl-convenience
tail -10 squid.conf
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/server1.crt
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump server-first all
cert generation
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 730 -in server.csr -signkey server.key
openssl x509 -req -days 730 -in server.csr -signkey server.key -out
server.crt
cat server.key server.crt > server1.crt
squid -z
FATAL: No valid signing SSL certificate configured for https_port
0.0.0.0:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys
Maximum Resident Size: 6752 KB
Page faults with physical i/o: 0
cert generation ala
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP (squid.conf
changed to cert=/etc/squid/ssl_cert/myCA.pem)
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout
myCA.pem -out myCA.pem
squid -z
FATAL: No valid signing SSL certificate configured for https_port [::]:3127
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.010 user + 0.030 sys
Maximum Resident Size: 6288 KB
Page faults with physical i/o: 0
In Reply To:
Hey Alan,
What is the full output of "squid -v"?
I am unsure about the akadia tutorial.
Please take a look at:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP
It contains some hints on how to create the certificate and contains a
snippet of squid configuration to make a basic ssl-bump work(the echo
command code might not be right)
I am pretty sure the certificate you have created is not the right type
for the task.
Eliezer
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
In reply to:
On 2/15/2015 4:49 PM, Eliezer Croitoru wrote:
> On 15/02/2015 23:36, Alan Palmer wrote:
>> I'm trying to get squid 3.4.11 on openbsd 5.6 to act as a transparent
>> ssl proxy.
>>
>> I've rebuilt squid with --enable-ssl-crtd, generated my own self signed
>> cert (ala http://www.akadia.com/services/ssh_test_certificate.html) and
>> have the following config lines:
>
> Hey Alan,
>
> What is the full output of "squid -v"?
>
> I am unsure about the akadia tutorial.
> Please take a look at:
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP
>
> It contains some hints on how to create the certificate and contains a
> snippet of squid configuration to make a basic ssl-bump work(the echo
> command code might not be right)
>
> I am pretty sure the certificate you have created is not the right
> type for the task.
>
> Eliezer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list