[squid-users] Cert download from AIA information succeeds yet Squid reports ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Alex Rousskov rousskov at measurement-factory.com
Tue May 22 15:50:14 UTC 2018


On 05/21/2018 10:59 PM, Ahmad, Sarfaraz wrote:

> Websites where certificates just share AIA information using CA-issuer
> method, those work just fine.
> 
>  
> 
> But try this one, https://community.verizonwireless.com/welcome (this
> gets bumped in my setup)
> 
> Here the AIA information Is provided using both OCSP/CAissuer methods.
> 
> From Squid’s access logs, I can tell that the certificate gets downloaded.
> 
>  
> 
> 1526964147.929    160 - TCP_MISS/200 1868 GET
> http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46
> application/x-x509-ca-cert
> 
>  
> 
> But squid still reports*:*
> 
> *(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> *SSL Certficate error: certificate issuer (CA) not known:
> /C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2
> 
> * *
> 
> That is the only intermediate certificate needed in the chain.  Here:
> https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest
> 
>  
> 
> When I download the intermediate certificate locally and try connecting
> to the remote server using openssl –Cafile option, Openssl reports OK (0).
> 
>  
> 
> openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile
> vpssg142.crt –servername community.verizon.com
> 
>>>     Verify return code: 0 (ok)


Nice triage! I do not know what went wrong, unfortunately. If you do not
find a solution on the mailing list, I recommend posting a bug report.
If possible, attach compressed partial cache.log (with debug_options set
to ALL,9) collected while reproducing the above problem without any
other transactions. This log might speed up resolution by exposing the
problem without the need to reproduce it locally.

Alex.


More information about the squid-users mailing list