[squid-users] Https_port with "official" certificate
Yuri Voinov
yvoinov at gmail.com
Wed Aug 24 12:18:46 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
No one CA do not issue signing CA for subject, which is not CA itself.
So, op wants impossible thing.
24.08.2016 18:15, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
>
>> Squid fails to start for me with:
>> FATAL: No valid signing SSL certificate configured for HTTPS_port
[::]:8443
>>
>> I have found that this is related to missing self signed certificate,
>> and since I do not want to use self signed certificate I am asking if I
>> can do anything about it.
>> I would like to avoid self signed certificates so my users would not
>> need to import and replace my own certs.
>
> Have you tried adding the option "generate-host-certificates=off" to your
> https_port line?
>
> I'm not an expert on this bit of Squid, but I'm just looking at
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
noticing
> anything to do with a "signing certificate" (which you do not have,
and do not
> want to use).
>
>> And here is my complete squid.conf:
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 901 # SWAT
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>>
>> auth_param basic program /usr/libexec/squid/basic_pam_auth
>> auth_param basic children 5
>> auth_param basic realm Proxy Authentication Required
>> auth_param basic credentialsttl 2 hours
>>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>> http_access deny all
>>
>> https_port 8443 \
>> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> tls-dh=/etc/ssl/certs/dhparam.pem \
>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> cipher=HIGH
>> cache_dir aufs /var/cache/squid 512 16 256
>> coredump_dir /var/cache/squid
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>
> Antony.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXvZCjAAoJENNXIZxhPexG5scH/3BeBhhmHmi9HjNt/gEVaM3U
xx1VqyOm3a+1gsfRJFpwag3NCvCoqfy0+XR/QV0OLaRVrmbBSp6YgIEDZsD7JLhZ
ZauSTvv/KPeMU0obAqI1ax3/w7MzlsjburDt47LDnxaBoXULooiThRYy4w8Uzwi9
bHiHPzQ7OBvPuu2z+4WrojhrexGjBQflZ7I1ACuze0ZNyL0zZi+zitQ/K11NUsyA
wXgS0R3t8k5pY/9ZhLvHFc9Zgj6FRaEY9sQ0z4TLlL+vq9t/ceT9xbWooFyL3GAU
2D1aNTpB5d7ejhfiSBagUw1DgHvjeC0uH33Ox0JLfKdfxYQikU/dkWWHnrv/qKc=
=7Z61
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/c0590acc/attachment-0001.key>
More information about the squid-users
mailing list