[squid-users] No valid signing SSL certificate configured for HTTPS_port

Konrad Kaluszynski itdirectconsulting at gmail.com
Sat Nov 5 16:24:00 UTC 2016


Hi All,

My goal is to configure a reverse proxy for Outlook Anywhere clients using
squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

This will replace existing TMG that my client is currently using.

However, when I run squid I get an error  "No valid signing SSL certificate
configured for HTTPS_port".

Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
proxy but was getting connection errors when trying to use OutlookAnywhere.

So now I have been testing Squid but cannot get past the certificate
installation which was painless under Nginx.

Configuration is based on an article below:
https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/

I have been trying for several days now without much success to configure
SSL certificate on my squid server.

Getting the " ...no valid signing certificate" every time.

I found few posts saying that it was not possible to use SSL certificates
signed by public CA and self-signed certs must be used.

Can anyone confirm if this is a case?

Logs and config files below.

My domain name has been replaced with *contoso.com <http://contoso.com>*
for confidentiality sake.

squid server- srv-*squid.contoso.com <http://squid.contoso.com>* / 3.3.3.201

uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux


exchange server - exch.contoso.com / 10.2.2.30

SSL certificate:
obtained from StartSSL for mail.contoso.com

SQUID.CONF

#### START

visible_hostname mail.contoso.com
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
"%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
 ### "cert" should contain Exchange certificate and key
 ### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 accel
cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem defaultsite=
mail.contoso.com key=/home/kk/ssl/cert-mail/mail.contoso.com.key

cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
connection-auth=on name=Exchange

acl exch_url url_regex -i mail.contoso.com/owa
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
acl exch_url url_regex -i mail.contoso.com/rpc

cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all
###END

ERROR
cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13|   Finished.  Wrote 0 entries.
2016/11/05 08:52:13|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port
3.3.3.201:443
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0

SQUID - compiled from sources
squid -v
Squid Cache: Version 3.5.22
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
'--with-pidfile=/var/run/squid3.pid' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
'--enable-ssl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--with-ssl'
'--disable-ipv6' '--with-openssl' --enable-ltdl-convenience

Appreciate any feedback

Cheers

Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161105/8fdf0ba5/attachment-0001.html>


More information about the squid-users mailing list