[squid-users] Troubleshooting certificate issues

Lorenzo Marcantonio l.marcantonio at proxind.it
Wed Nov 11 11:56:32 UTC 2020


I'm using 4.13 with libressl 3.2.2 and SSL bumps. Most of the time
it works (e.g. google). Some other time it get me back a 'fake untrusted'
certificate (like CN=Not trusted by \"proxy.proxind.it\") and this of
course gives user issues.

In the logs I see lines like

2020-11-11 12:47:59.314124500  L   290 192.168.2.102 NONE/200 0 CONNECT www.selcdn.ru:443 - HIER_DIRECT/92.53.68.204 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY at depth=2

which suggest something missing in the certificate store.

However testing with openssl verify the certificate from the server
(extracted with a browser *outside* the squid network) it verifies OK.

The certs.pem file is the same (I checked:P) so I don't get why it
should fail. In fact I ensured it with tls_outgoing_options cafile=/var/lib/openssl/certs.pem

Any ideas on how to solve/troubleshoot/workaround the problem?

-- 
Lorenzo Marcantonio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201111/bdbc91a4/attachment.sig>


More information about the squid-users mailing list