[squid-users] Troubleshooting certificate issues

Lorenzo Marcantonio l.marcantonio at proxind.it
Wed Nov 11 14:30:12 UTC 2020


On Wed, Nov 11, 2020 at 03:13:19PM +0100, Dieter Bloms wrote:
> for me it looks like the server doesn't deliver the intermdeiate
> certificate and your squid proxy doesn't download this certificate
> itself.

Well, squid couln't download even if wanted if it isn't supplied by the
server. AFAIK there is no field in the certificate to hold an url to
download the signer one. In fact in the past I had to put some
intermediates in the cert store (OK, not great, not recommended, but at
least it works).

That aside, if I save the certificate as a PEM from the browser (*only*
the certificate, not the whole chain) and I do an openssl verify on it
it validates, so in the store there are all the certs needed to verify
it. I even tried doing it as the squid user in case of permission
issues.

For some reason squid doesn't like *some* certificates. And I don't
think that so many sites anyway send incomplete chains.

-- 
Lorenzo Marcantonio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201111/d7dfd608/attachment.sig>


More information about the squid-users mailing list