[squid-users] Https_port with "official" certificate
Antony Stone
Antony.Stone at squid.open.source.it
Wed Aug 24 12:15:59 UTC 2016
On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
>
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.
Have you tried adding the option "generate-host-certificates=off" to your
https_port line?
I'm not an expert on this bit of Squid, but I'm just looking at
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing
anything to do with a "signing certificate" (which you do not have, and do not
want to use).
> And here is my complete squid.conf:
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
Antony.
--
You can tell that the day just isn't going right when you find yourself using
the telephone before the toilet.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list