[squid-users] Https_port with "official" certificate

Yuri Voinov yvoinov at gmail.com
Wed Aug 24 12:18:46 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
No one CA do not issue signing CA for subject, which is not CA itself.

So, op wants impossible thing.


24.08.2016 18:15, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
>
>> Squid fails to start for me with:
>> FATAL: No valid signing SSL certificate configured for HTTPS_port
[::]:8443
>>
>> I have found that this is related to missing self signed certificate,
>> and since I do not want to use self signed certificate I am asking if I
>> can do anything about it.
>> I would like to avoid self signed certificates so my users would not
>> need to import and replace my own certs.
>
> Have you tried adding the option "generate-host-certificates=off" to your
> https_port line?
>
> I'm not an expert on this bit of Squid, but I'm just looking at
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
noticing
> anything to do with a "signing certificate" (which you do not have,
and do not
> want to use).
>
>> And here is my complete squid.conf:
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl Safe_ports port 901         # SWAT
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>>
>> auth_param basic program /usr/libexec/squid/basic_pam_auth
>> auth_param basic children 5
>> auth_param basic realm Proxy Authentication Required
>> auth_param basic credentialsttl 2 hours
>>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>> http_access deny all
>>
>> https_port 8443 \
>>     cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>>     key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>>     clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>>     tls-dh=/etc/ssl/certs/dhparam.pem \
>>     options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>>     cipher=HIGH
>> cache_dir aufs /var/cache/squid 512 16 256
>> coredump_dir /var/cache/squid
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>
> Antony.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZCjAAoJENNXIZxhPexG5scH/3BeBhhmHmi9HjNt/gEVaM3U
xx1VqyOm3a+1gsfRJFpwag3NCvCoqfy0+XR/QV0OLaRVrmbBSp6YgIEDZsD7JLhZ
ZauSTvv/KPeMU0obAqI1ax3/w7MzlsjburDt47LDnxaBoXULooiThRYy4w8Uzwi9
bHiHPzQ7OBvPuu2z+4WrojhrexGjBQflZ7I1ACuze0ZNyL0zZi+zitQ/K11NUsyA
wXgS0R3t8k5pY/9ZhLvHFc9Zgj6FRaEY9sQ0z4TLlL+vq9t/ceT9xbWooFyL3GAU
2D1aNTpB5d7ejhfiSBagUw1DgHvjeC0uH33Ox0JLfKdfxYQikU/dkWWHnrv/qKc=
=7Z61
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/c0590acc/attachment-0001.key>


More information about the squid-users mailing list