[squid-users] sslpassword_program

creditu at eml.cc creditu at eml.cc
Mon Dec 19 04:59:37 UTC 2016


On Sun, Dec 18, 2016, at 01:21 PM, Michael Pelletier wrote:
> Check your file permissions on the key.
> 
> On Dec 18, 2016 2:13 PM, <creditu at eml.cc> wrote:
> 
> > I'm having trouble getting the sslpassword_program working for an
> > encrypted key.  Config looks like this:
> >
> > sslpassword_program /usr/local/bin/pass.sh
> > https_port 10.10.10.1:443 accel vhost cert=/etc/squid/www.crt
> > key=/etc/squid/private.key
> >
> > On start, cache log states "Ignoring https_port 10.10.10.1:443 due to
> > SSL initialization failure."
> > On stop, console states "Failed to acquire SSL private key
> > '/etc/squid/private.key': error:0200100D:system library:fopen:Permission
> > denied"
> >
> > Removing the passphrase from the private key, squid starts normally.
> > Permissions on the encrypted and non-encrypted keys are the same.  I
> > also tried putting the pass.sh program in /bin.  The pass.sh program
> > looks like this:
> > #!/bin/sh
> > echo "testing"
> >
> > The hash of the private key modulus and the certificate modulus match as
> > well.
> >
> > Am I missing something? This is on squid 3.1.
> > _______________________________________________

Checked the perms and they are identical as the private key that I
stripped the password out of.  They are also in the same directory.  The
one without a password works fine.  Also tried encrypting with des3
versus aes128 and that didn't make a difference either.   Gotta be
missing something.  The error points to a perms problem, but not seeing
how since everything is the same.  Also, added a line in the
sslpassword_program to touch a file to see if it got executed and it
didn't create the file. Additionally, ran the stat command on the 
/usr/local/bin/pass.sh after squid started up and the access time never
changes.  It seems like the shell script may not being executed for some
reason.  I'm able to launch the shell script from the command line and
it echos out the pass fine. 


More information about the squid-users mailing list