[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia sodhia.rohit at gmail.com
Mon Sep 11 19:23:42 UTC 2017


Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents
were set to squid:squid and restarted the service, but I'm still getting
the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <sodhia.rohit at gmail.com>
wrote:

> I'll try that immediately, thanks! I appreciate all your advice; hopefully
> I won't have to reach out again :p
>
> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoinov at gmail.com> wrote:
>
>> I'm not Linux fanboy, but modern squid never runs as root. So, most
>> probably it runs as nobody user.
>>
>> Ah, yes:
>>
>> #  TAG: cache_effective_user
>> #    If you start Squid as root, it will change its effective/real
>> #    UID/GID to the user specified below.  The default is to change
>> #    to UID of nobody.
>> #    see also; cache_effective_group
>> #Default:
>> # cache_effective_user nobody
>>
>> #  TAG: cache_effective_group
>> #    Squid sets the GID to the effective user's default group ID
>> #    (taken from the password file) and supplementary group list
>> #    from the groups membership.
>> #
>> #    If you want Squid to run with a specific GID regardless of
>> #    the group memberships of the effective user then set this
>> #    to the group (or GID) you want Squid to run as. When set
>> #    all other group privileges of the effective user are ignored
>> #    and only this GID is effective. If Squid is not started as
>> #    root the user starting Squid MUST be member of the specified
>> #    group.
>> #
>> #    This option is not recommended by the Squid Team.
>> #    Our preference is for administrators to configure a secure
>> #    user account for squid with UID/GID matching system policies.
>> #Default:
>> # Use system group memberships of the cache_effective_user account
>>
>> As documented. :)
>>
>> AFAIK best solution is create non-privileged group & user (like
>> squid/squid) and set both this parameters explicity.
>>
>> Then change owner recursively on SSL cache to this user.
>>
>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>
>> Neither of those values are set in my config. Even though I'm not using
>> squid for caching, I need those values? They aren't set in the default
>> configs either.
>>
>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <yvoinov at gmail.com> wrote:
>>
>>> Most probably you squid runs as another user than squid.
>>>
>>> Check your squid.conf for cache_effective_user and cache_effective_group
>>> values.
>>>
>>> Then change SSL cache permissions to this values. Should work.
>>>
>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>
>>> Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set
>>> it up like that. I changed the owner and group to squid:squid and tried
>>> restarting squid, but still get the same errors. I thought to run the
>>> command again, but this time it says
>>>
>>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
>>>
>>> If this folder has incorrect permissions are there possibly other
>>> permission issues?
>>>
>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <yvoinov at gmail.com> wrote:
>>>
>>>> Here you root of problem.
>>>>
>>>> Should be (on my setups):
>>>>
>>>> # ls -al /var/lib/ssl_db
>>>> total 326
>>>> drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
>>>> drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
>>>> drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
>>>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
>>>> -rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
>>>>
>>>> I.e. Squid has no access to SSL cache dir structures.
>>>>
>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>
>>>> total 8
>>>> drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>> drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
>>>> -rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
>>>> -rw-r--r--.  1 root root    1 Sep 11 12:42 size
>>>>
>>>>
>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>
>>>>> Show output of
>>>>>
>>>>> ls -al /var/lib/ssl_db
>>>>>
>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>
>>>>> Yes, but telling me it's crashing unfortunately doesn't help me figure
>>>>> out why or how to fix it. I've run the command it suggests but it doesn't
>>>>> help. I'm unfortunately not an ops guy familiar with this kind of stuff; I
>>>>> don't see anything on how to figure out what to do about it.
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri <yvoinov at gmail.com> wrote:
>>>>>
>>>>>> It tells you what's happens.
>>>>>>
>>>>>>
>>>>>> 11.09.2017 23:50, Rohit Sodhia пишет:
>>>>>> > (ssl_crtd): Uninitialized SSL certificate database directory:
>>>>>> > /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
>>>>>> /var/lib/ssl_db".
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> squid-users mailing list
>>>>>> squid-users at lists.squid-cache.org
>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170911/e227a97f/attachment-0001.html>


More information about the squid-users mailing list