[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly
Yuri
yvoinov at gmail.com
Mon Sep 11 20:07:44 UTC 2017
Seems latest 4.0.21 is good enough. Most critical SSL-related bugs
almost closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.
Repositories software sometimes has strange quirks, or sometimes rancid.
12.09.2017 2:05, Rohit Sodhia пишет:
> I'll try to find it, but I read a few articles/SO questions that
> suggested there were bugs in 4 relating to SSL bumping? If they were
> wrong, I'd be glad to go forward. Should I be removing the yum squid
> package and compile my own? Is 3.5 problematic besides being old?
>
> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com>> wrote:
>
> Wait. Squid 3.5.20? So ancient?
>
>
> 12.09.2017 1:58, Rohit Sodhia пишет:
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>
>> I used the line from the Stack Overflow question I linked earlier.
>>
>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri <yvoinov at gmail.com
>> <mailto:yvoinov at gmail.com>> wrote:
>>
>> Well. Let's check more deep.
>>
>> Show me parameter sslcrtd_program in your squid.conf
>>
>>
>> 12.09.2017 1:23, Rohit Sodhia пишет:
>>> Unfortunately, no luck yet. Thank you again for your help
>>> before.
>>>
>>> I found that the user squid and group squid existed already,
>>> so I added
>>>
>>> cache_effective_user squid
>>> cache_effective_group squid
>>>
>>> to my config (first two lines), made sure /var/lib/ssl_db
>>> and it's contents were set to squid:squid and restarted the
>>> service, but I'm still getting the same error :(
>>>
>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
>>> <sodhia.rohit at gmail.com <mailto:sodhia.rohit at gmail.com>> wrote:
>>>
>>> I'll try that immediately, thanks! I appreciate all your
>>> advice; hopefully I won't have to reach out again :p
>>>
>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoinov at gmail.com
>>> <mailto:yvoinov at gmail.com>> wrote:
>>>
>>> I'm not Linux fanboy, but modern squid never runs as
>>> root. So, most probably it runs as nobody user.
>>>
>>> Ah, yes:
>>>
>>> # TAG: cache_effective_user
>>> # If you start Squid as root, it will change its
>>> effective/real
>>> # UID/GID to the user specified below. The
>>> default is to change
>>> # to UID of nobody.
>>> # see also; cache_effective_group
>>> #Default:
>>> # cache_effective_user nobody
>>>
>>> # TAG: cache_effective_group
>>> # Squid sets the GID to the effective user's
>>> default group ID
>>> # (taken from the password file) and
>>> supplementary group list
>>> # from the groups membership.
>>> #
>>> # If you want Squid to run with a specific GID
>>> regardless of
>>> # the group memberships of the effective user
>>> then set this
>>> # to the group (or GID) you want Squid to run as.
>>> When set
>>> # all other group privileges of the effective
>>> user are ignored
>>> # and only this GID is effective. If Squid is not
>>> started as
>>> # root the user starting Squid MUST be member of
>>> the specified
>>> # group.
>>> #
>>> # This option is not recommended by the Squid Team.
>>> # Our preference is for administrators to
>>> configure a secure
>>> # user account for squid with UID/GID matching
>>> system policies.
>>> #Default:
>>> # Use system group memberships of the
>>> cache_effective_user account
>>>
>>> As documented. :)
>>>
>>> AFAIK best solution is create non-privileged group &
>>> user (like squid/squid) and set both this parameters
>>> explicity.
>>>
>>> Then change owner recursively on SSL cache to this user.
>>>
>>>
>>> 12.09.2017 0:36, Rohit Sodhia пишет:
>>>> Neither of those values are set in my config. Even
>>>> though I'm not using squid for caching, I need
>>>> those values? They aren't set in the default
>>>> configs either.
>>>>
>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri
>>>> <yvoinov at gmail.com <mailto:yvoinov at gmail.com>> wrote:
>>>>
>>>> Most probably you squid runs as another user
>>>> than squid.
>>>>
>>>> Check your squid.conf for cache_effective_user
>>>> and cache_effective_group values.
>>>>
>>>> Then change SSL cache permissions to this
>>>> values. Should work.
>>>>
>>>>
>>>> 12.09.2017 0:30, Rohit Sodhia пишет:
>>>>> Thanks for the feedback! I just used yum (it's
>>>>> a CentOS 7 VB) and it set it up like that. I
>>>>> changed the owner and group to squid:squid and
>>>>> tried restarting squid, but still get the same
>>>>> errors. I thought to run the command again,
>>>>> but this time it says
>>>>>
>>>>> /usr/lib64/squid/ssl_crtd: Cannot create
>>>>> /var/lib/ssl_db
>>>>>
>>>>> If this folder has incorrect permissions are
>>>>> there possibly other permission issues?
>>>>>
>>>>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri
>>>>> <yvoinov at gmail.com <mailto:yvoinov at gmail.com>>
>>>>> wrote:
>>>>>
>>>>> Here you root of problem.
>>>>>
>>>>> Should be (on my setups):
>>>>>
>>>>> # ls -al /var/lib/ssl_db
>>>>> total 326
>>>>> drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
>>>>> drwxr-xr-x 8 root other 8 Sep 5
>>>>> 00:53 ..
>>>>> drwxr-xr-x 2 squid squid 454 Sep 11
>>>>> 23:37 certs
>>>>> -rw-r--r-- 1 squid squid 280575 Sep 11
>>>>> 23:37 index.txt
>>>>> -rw-r--r-- 1 squid squid 7 Sep 11
>>>>> 23:37 size
>>>>>
>>>>> I.e. Squid has no access to SSL cache dir
>>>>> structures.
>>>>>
>>>>>
>>>>> 12.09.2017 0:23, Rohit Sodhia пишет:
>>>>>> total 8
>>>>>> drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
>>>>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
>>>>>> drwxr-xr-x. 2 root root 6 Sep 11
>>>>>> 12:42 certs
>>>>>> -rw-r--r--. 1 root root 0 Sep 11
>>>>>> 12:42 index.txt
>>>>>> -rw-r--r--. 1 root root 1 Sep 11
>>>>>> 12:42 size
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri
>>>>>> <yvoinov at gmail.com
>>>>>> <mailto:yvoinov at gmail.com>> wrote:
>>>>>>
>>>>>> Show output of
>>>>>>
>>>>>> ls -al /var/lib/ssl_db
>>>>>>
>>>>>>
>>>>>> 12.09.2017 0:21, Rohit Sodhia пишет:
>>>>>>> Yes, but telling me it's crashing
>>>>>>> unfortunately doesn't help me figure
>>>>>>> out why or how to fix it. I've run
>>>>>>> the command it suggests but it
>>>>>>> doesn't help. I'm unfortunately not
>>>>>>> an ops guy familiar with this kind
>>>>>>> of stuff; I don't see anything on
>>>>>>> how to figure out what to do about it.
>>>>>>>
>>>>>>> On Mon, Sep 11, 2017 at 2:17 PM,
>>>>>>> Yuri <yvoinov at gmail.com
>>>>>>> <mailto:yvoinov at gmail.com>> wrote:
>>>>>>>
>>>>>>> It tells you what's happens.
>>>>>>>
>>>>>>>
>>>>>>> 11.09.2017 23:50, Rohit Sodhia
>>>>>>> пишет:
>>>>>>> > (ssl_crtd): Uninitialized SSL
>>>>>>> certificate database directory:
>>>>>>> > /var/lib/ssl_db. To
>>>>>>> initialize, run "ssl_crtd -c -s
>>>>>>> /var/lib/ssl_db".
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> squid-users mailing list
>>>>>>> squid-users at lists.squid-cache.org
>>>>>>> <mailto:squid-users at lists.squid-cache.org>
>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>> <http://lists.squid-cache.org/listinfo/squid-users>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/869bc632/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170912/869bc632/attachment-0001.sig>
More information about the squid-users
mailing list