[squid-users] Buy Certificates for Squid 'man in the middle'
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 2 23:38:44 UTC 2017
On 3/02/2017 1:43 a.m., angelv wrote:
> On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
>>> So we can't even use the free certs from letsencrypt with Squid??
>>>
>>
>> Not for MITM / SSL-Bump no.
>>
>> The very first clause of the purchase contract for the LetsEncrypt CA is:
>>
>> "
>> By requesting, accepting, or using a Let’s Encrypt Certificate:
>>
>> * You warrant to ISRG and the public-at-large that You are the
>> legitimate registrant of the Internet domain name that is, or is going
>> to be, the subject of Your Certificate, or that You are the duly
>> authorized agent of such registrant.
>> "
>>
>> Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only.
>>
>> If you have just used LetsEncrypt certs because of the hype about being
>> cheap, easy and everyone else is saying its good. I think it well worth
>> your time going to their site and reading that contract to which you
>> have bound your network.
>>
>> For networks outside North America there are some legal implications
>> about signing judicial authority and your users method of legal redress
>> over to the USA government.
>>
>
> I have certificates for my sub-domain
>
> for example:
>
> Proxy.subdomain.domain.com
>
> I have the following files issued by Letsencrypt:
>
> ca.cer
> proxy.subdomain.domain.com.conf proxy.subdomain.domain.com.ssl.conf
> fullchain.cer proxy.subdomain.domain.com.csr
> proxy.subdomain.domain.com.cer proxy.subdomain.domain.com.key
>
> Can you use it?
> How do I make them usable for the proxy?
>
https_port 3128 \
cert=/path/to/proxy.subdomain.domain.com.cer \
key=/path/to/proxy.subdomain.domain.com.key \
cafile=/path/to/fullchain.cer
That is all. No SSL-Bump or other config.
Amos
More information about the squid-users
mailing list