[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)

Mohammed al-jakry mohammedjk89 at gmail.com
Tue May 9 06:41:33 UTC 2017 

Hi,

I am facing an issue with Squid 3.5 with SSL Bump configuration, i already
configure it without SSL bump and it works fine. but after configuring
intercept process it shows the below error:

*No valid signing SSL certificate configured for HTTPS_port [::]:3128*

below snippet from the Squid configuration file:

*https_port 3128 intercept ssl-bump \*
*  generate-host-certificates=on \*
*  dynamic_cert_mem_cache_size=4MB \*
*  cert=/etc/squid/ssl_cert/myCA.pem*

*# For squid 3.5.x*
*sslcrtd_program /usr/lib64/squid/ssl_crtd  -s /var/lib/ssl_db -M 4MB*


*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*

i used the below link as guid in creating the certificate:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

moreover, below are the result for squid -k command:

2017/05/09 09:38:26| Startup: Initializing Authentication Schemes ...
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'basic'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'digest'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'negotiate'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'ntlm'
2017/05/09 09:38:26| Startup: Initialized Authentication.
2017/05/09 09:38:26| Processing Configuration File: /etc/squid/squid.conf
(depth 0)
2017/05/09 09:38:26| Processing: acl localnet src 172.16.10.0/24        #
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src 192.168.0.0/16        #
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src fc00::/7       # RFC 4193
local private network range
2017/05/09 09:38:26| Processing: acl localnet src fe80::/10      # RFC 4291
link-local (directly plugged) machines
2017/05/09 09:38:26| Processing: acl SSL_ports port 443
2017/05/09 09:38:26| Processing: acl Safe_ports port 80         # http
2017/05/09 09:38:26| Processing: acl Safe_ports port 21         # ftp
2017/05/09 09:38:26| Processing: acl Safe_ports port 443                #
https
2017/05/09 09:38:26| Processing: acl Safe_ports port 70         # gopher
2017/05/09 09:38:26| Processing: acl Safe_ports port 210                #
wais
2017/05/09 09:38:26| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2017/05/09 09:38:26| Processing: acl Safe_ports port 280                #
http-mgmt
2017/05/09 09:38:26| Processing: acl Safe_ports port 488                #
gss-http
2017/05/09 09:38:26| Processing: acl Safe_ports port 591                #
filemaker
2017/05/09 09:38:26| Processing: acl Safe_ports port 777                #
multiling http
2017/05/09 09:38:26| Processing: acl CONNECT method CONNECT
2017/05/09 09:38:26| Processing: http_access deny !Safe_ports
2017/05/09 09:38:26| Processing: http_access deny CONNECT !SSL_ports
2017/05/09 09:38:26| Processing: http_access allow localhost manager
2017/05/09 09:38:26| Processing: http_access deny manager
2017/05/09 09:38:26| Processing: http_access allow localnet
2017/05/09 09:38:26| Processing: http_access allow localhost
2017/05/09 09:38:26| Processing: http_access deny all
2017/05/09 09:38:26| Processing: https_port 3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myCA.pem
2017/05/09 09:38:26| Starting Authentication on port [::]:3128
2017/05/09 09:38:26| Disabling Authentication on port [::]:3128
(interception enabled)
2017/05/09 09:38:26| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd
 -s /var/lib/ssl_db -M 4MB
2017/05/09 09:38:26| Processing: acl step1 at_step SslBump1
2017/05/09 09:38:26| Processing: ssl_bump peek step1
2017/05/09 09:38:26| Processing: ssl_bump bump all
2017/05/09 09:38:26| Processing: cache_dir ufs /var/spool/squid 100 16 256
2017/05/09 09:38:26| Processing: coredump_dir /var/spool/squid
2017/05/09 09:38:26| Processing: refresh_pattern ^ftp:          1440    20%
    10080
2017/05/09 09:38:26| Processing: refresh_pattern ^gopher:       1440    0%
     1440
2017/05/09 09:38:26| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%
     0
2017/05/09 09:38:26| Processing: refresh_pattern .              0       20%
    4320
2017/05/09 09:38:26| Initializing https proxy context
2017/05/09 09:38:26| Initializing https_port [::]:3128 SSL context
2017/05/09 09:38:26| Using certificate in /etc/squid/ssl_cert/myCA.pem
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:3128
Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.027 seconds = 0.013 user + 0.014 sys
Maximum Resident Size: 37264 KB
Page faults with physical i/o: 0

I already do googling for this issue, and i found similar issue and it was
solved by setting SELinux to permissive and reboot. i already did the same
but its still not working. pleas advice

Thanks and Regards,

Mohammed AL-Jakri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170509/596ecefb/attachment.html>

More information about the squid-users mailing list