[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)
Mohammed al-jakry
mohammedjk89 at gmail.com
Tue May 9 06:41:33 UTC 2017
Hi,
I am facing an issue with Squid 3.5 with SSL Bump configuration, i already
configure it without SSL bump and it works fine. but after configuring
intercept process it shows the below error:
*No valid signing SSL certificate configured for HTTPS_port [::]:3128*
below snippet from the Squid configuration file:
*https_port 3128 intercept ssl-bump \*
* generate-host-certificates=on \*
* dynamic_cert_mem_cache_size=4MB \*
* cert=/etc/squid/ssl_cert/myCA.pem*
*# For squid 3.5.x*
*sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB*
*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*
i used the below link as guid in creating the certificate:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
moreover, below are the result for squid -k command:
2017/05/09 09:38:26| Startup: Initializing Authentication Schemes ...
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'basic'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'digest'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'negotiate'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'ntlm'
2017/05/09 09:38:26| Startup: Initialized Authentication.
2017/05/09 09:38:26| Processing Configuration File: /etc/squid/squid.conf
(depth 0)
2017/05/09 09:38:26| Processing: acl localnet src 172.16.10.0/24 #
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src 192.168.0.0/16 #
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src fc00::/7 # RFC 4193
local private network range
2017/05/09 09:38:26| Processing: acl localnet src fe80::/10 # RFC 4291
link-local (directly plugged) machines
2017/05/09 09:38:26| Processing: acl SSL_ports port 443
2017/05/09 09:38:26| Processing: acl Safe_ports port 80 # http
2017/05/09 09:38:26| Processing: acl Safe_ports port 21 # ftp
2017/05/09 09:38:26| Processing: acl Safe_ports port 443 #
https
2017/05/09 09:38:26| Processing: acl Safe_ports port 70 # gopher
2017/05/09 09:38:26| Processing: acl Safe_ports port 210 #
wais
2017/05/09 09:38:26| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2017/05/09 09:38:26| Processing: acl Safe_ports port 280 #
http-mgmt
2017/05/09 09:38:26| Processing: acl Safe_ports port 488 #
gss-http
2017/05/09 09:38:26| Processing: acl Safe_ports port 591 #
filemaker
2017/05/09 09:38:26| Processing: acl Safe_ports port 777 #
multiling http
2017/05/09 09:38:26| Processing: acl CONNECT method CONNECT
2017/05/09 09:38:26| Processing: http_access deny !Safe_ports
2017/05/09 09:38:26| Processing: http_access deny CONNECT !SSL_ports
2017/05/09 09:38:26| Processing: http_access allow localhost manager
2017/05/09 09:38:26| Processing: http_access deny manager
2017/05/09 09:38:26| Processing: http_access allow localnet
2017/05/09 09:38:26| Processing: http_access allow localhost
2017/05/09 09:38:26| Processing: http_access deny all
2017/05/09 09:38:26| Processing: https_port 3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myCA.pem
2017/05/09 09:38:26| Starting Authentication on port [::]:3128
2017/05/09 09:38:26| Disabling Authentication on port [::]:3128
(interception enabled)
2017/05/09 09:38:26| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd
-s /var/lib/ssl_db -M 4MB
2017/05/09 09:38:26| Processing: acl step1 at_step SslBump1
2017/05/09 09:38:26| Processing: ssl_bump peek step1
2017/05/09 09:38:26| Processing: ssl_bump bump all
2017/05/09 09:38:26| Processing: cache_dir ufs /var/spool/squid 100 16 256
2017/05/09 09:38:26| Processing: coredump_dir /var/spool/squid
2017/05/09 09:38:26| Processing: refresh_pattern ^ftp: 1440 20%
10080
2017/05/09 09:38:26| Processing: refresh_pattern ^gopher: 1440 0%
1440
2017/05/09 09:38:26| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%
0
2017/05/09 09:38:26| Processing: refresh_pattern . 0 20%
4320
2017/05/09 09:38:26| Initializing https proxy context
2017/05/09 09:38:26| Initializing https_port [::]:3128 SSL context
2017/05/09 09:38:26| Using certificate in /etc/squid/ssl_cert/myCA.pem
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:3128
Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.027 seconds = 0.013 user + 0.014 sys
Maximum Resident Size: 37264 KB
Page faults with physical i/o: 0
I already do googling for this issue, and i found similar issue and it was
solved by setting SELinux to permissive and reboot. i already did the same
but its still not working. pleas advice
Thanks and Regards,
Mohammed AL-Jakri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170509/596ecefb/attachment.html>
More information about the squid-users
mailing list