[squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
Mike
mcsnv96 at afo.net
Fri Jan 23 20:08:23 UTC 2015
For a Red Hat/CentOS based OS, selinux causes that.
The fix I found in this case:
Before the below “audit2allow” command will work, you will need to
install the needed tool for selinux:
* yum -yinstall policycoreutils-python
(which will also install a few other dependencies).
To temporarily set selinux to permissive:
* echo 0 >/selinux/enforce
To re-enable after it is fixed:
* echo 1 >/selinux/enforce
Check the /var/log/audit/audit.log for the type=AVC relating to the
ssl_crtd entries (easy way is "grep AVC audit.log | less" ).
To find out WHY it is happening in selinux, use this:
grep ssl_crtd /var/log/audit/audit.log | audit2allow -w
Start in /tmp/ folder since we will not need these files for long.
* grep ssl_crtd /var/log/audit/audit.log | audit2allow -m ssl_crtdlocal
> ssl_crtdlocal.te
- outputs the suggested settings into the file ssl_crtdlocal.te, which
we will review below in “cat”
* cat ssl_crtdlocal.te
- to review the created file and show what will be donein selinux
* grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
- Note the capital M, this Makes the needed file, ready for selinux to
import, and then the next command below actually enables it.
* semodule -i ssl_crtdlocal.pp
- Used to enable the new policy in selinux
As long as it is now working properly, can delete the *.te and *.pp
files created in the /tmp/ folder.
Now all of this is mute if selinux is not used so there may likely be
other explanations, but this at least covers RedHat based OS's with
selinux. I documented all of this since our servers ran into the same
issue due to selinux, and this was how we resolved it.
Mike
On 1/22/2015 6:17 AM, HackXBack wrote:
> hello,
> every day i found this error and my cache stop
>
> then i remove the ssl database then restart squid
>
> next day the problem happen again ,
> am using squid 3.4.11
>
> what may cause this problem ?
>
> thanks.
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly-need-help-tp4669257.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list