[squid-users] 3.5.6: need help: FATAL: No valid signing SSL certificate but openssl verify is OK
Amos Jeffries
squid3 at treenet.co.nz
Mon Jul 27 00:24:35 UTC 2015
On 27/07/2015 12:06 p.m., David Touzeau wrote:
>
> Dear
>
> My certificate and my own Root CA's that are already installed on all
> computers and need to use it in Squid.
>
> using
>
> The Certificate :
> --------------------------------------------------------------------------------------------------
>
> openssl x509 -subject -issuer -enddate -noout -in certificate.pem
> subject= /C=FR/ST=Ile de France/L=Paris/O=My Company/OU=IT
> service/CN=proxyweb.domain.tld
> issuer= /CN=ACTISSIA-CA
> notAfter=Jul 8 12:32:53 2016 GMT
>
> The Root CA
> --------------------------------------------------------------------------------------------------
>
> openssl x509 -subject -issuer -enddate -noout -in /etc/squid3/Cafile.ca
> subject= /CN=ACTISSIA-CA
> issuer= /CN=ACTISSIA-CA
> notAfter=Apr 10 08:03:12 2019 GMT
>
>
> Verify certificate and Root's CA:
> --------------------------------------------------------------------------------------------------
>
> /usr/bin/openssl verify -verbose -CAfile /etc/squid3/Cafile.ca
> /etc/squid3/certificate.pem
> certificate.pem: OK
>
>
> i have create the chain
>
> cat /etc/squid3/Cafile.ca >/etc/squid3/chain.pem
> cat /etc/squid3/certificate.pem >>/etc/squid3/chain.pem
>
> Added :
> http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/chain.pem
>
> But i was unable to start squid with the error
>
> 2015/07/27 00:57:43| Using certificate in /etc/squid3/ssl/calast.pem
> 2015/07/27 00:57:43| storeDirWriteCleanLogs: Starting...
> 2015/07/27 00:57:43| Finished. Wrote 0 entries.
> 2015/07/27 00:57:43| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for HTTP_port
> 0.0.0.0:3128
> Squid Cache (Version 3.5.6): Terminated abnormally.
>
Firstly;
Notice that what Squid is loading a file called calast.pem. Not the
chain.pem one your config snippet shows.
Secondly;
What happens in ssl-bump generate-host-certificates=on is that Squid
generates a *third* certificate tied specifically to the domain the
client asked for, and sends that to the client.
It needs to be signed by a CA the client trusts.
Does /etc/squid3/chain.pem contain the private key of a CA whose public
key is trusted by the client already?
*without* the generate-host-certificates Squid would just be loading the
certificate.pem part out of chain.pem and sending that to the client.
Amos
More information about the squid-users
mailing list