[squid-users] certificate issuer not known

Majed Zouhairy m_zouhairy at ckta.by
Thu Aug 12 11:34:43 UTC 2021 

solved the issue with this guide:

https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

but needs different commands for tumbleweed



On 6/23/21 2:56 PM, Majed Zouhairy wrote:
> 
> Health be upon you,
> when visiting
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> 
> on squid 4.15
> 
> it displays:
> 
> 
> ERROR
> The requested URL could not be retrieved
> 
> The following error was encountered while trying to retrieve the URL: 
> https://wiki.squid-cache.org/*
> 
>      Failed to establish a secure connection to 104.130.201.120
> 
> The system returned:
> 
>      (71) Protocol error (TLS code: 
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> 
>      SSL Certficate error: certificate issuer (CA) not known: 
> /C=US/O=Let's Encrypt/CN=R3
> 
> This proxy and the remote host failed to negotiate a mutually acceptable 
> security settings for handling your request. It is possible that the 
> remote host does not support secure connections, or the proxy is not 
> satisfied with the host security credentials.
> 
> Your cache administrator is webmaster.
> 
> configuration:
> 
> http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem 
> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> 
> 
> 
> acl     tls_s1_connect        at_step SslBump1
> acl     tls_s2_client_hello     at_step SslBump2
> acl     tls_s3_server_hello     at_step SslBump3
> 
> # define acls for sites that must not be actively bumped
> 
> acl     tls_allowed_hsts    ssl::server_name             .akamaihd.net
> acl     tls_allowed_hsts    ssl::server_name             .proxy.skko.by
> #acl     tls_server_is_bank     ssl::server_name     .abnamro.nl
> #acl     tls_server_is_bank     ssl::server_name     .abnamro.comacl
> tls_server_is_bank         ssl::server_name 
> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
> acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank
> 
> # TLS/SSL bumping steps
> 
> ssl_bump     peek    tls_s1_connect     # peek at TLS/SSL connect data
> ssl_bump     splice     tls_to_splice    # splice some: no active bump
> ssl_bump     stare     all        # stare(peek) at server
>                                                          # properties of 
> the webserver
> ssl_bump     bump    # bump if we can (if the stare succeeded)
> 
> 
> 
> #ssl_bump peek all
> #ssl_bump splice all
> 
> ##ssl_bump server-first all
> 
> #sslproxy_cert_error allow all
> 
> 
> 
> cache_dir ufs /var/cache/squid 8000 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache/squid
> 
> cache_mem 960 MB
> 
> netdb_filename none
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:            1440    20%    10080
> refresh_pattern ^gopher:        1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?)     0    0%    0
> refresh_pattern .            0    20%    4320
> 
> url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
> sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
> /var/log/squid/
> url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
> #debug_options ALL,1 33,2 28,9
> 
> what needs to be done to fix?

More information about the squid-users mailing list