[squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

Greg Hulands ghulands at me.com
Thu Jan 14 02:47:36 UTC 2021


Hi Alex,
Thanks for the help. Comments inline.


> On Jan 13, 2021, at 2:23 PM, Alex Rousskov <rousskov at measurement-factory.com> wrote:
> 
> On 1/13/21 4:33 PM, Greg Hulands wrote:
> 
>> I am setting up squid 5.0.3 and during testing I have found some 
>> websites fail to have their certificates generated correctly. I am
>> able to go to sites like YouTube.com and have the certificates for
>> that be generated correctly, but when I try to go to some others,
>> like arstechnica.com, they fail to generate and return the CA cert
>> that squid is using to sign certificates with.
> 
> Just to double check: Are you sure that the certificate the client gets
> is the configured CA certificate? For example, do the two certificates
> have the same fingerprint?

Yes, I verified it’s the same certificate - fingerprints are a match.

> 
>> I turned the logging up on certificate stuff to 5 and have the cache log
>> from trying to make a request
>> here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb
> 
> The posted snippet shows successful TLS negotiation with the origin
> server (FD 23) and a subsequently failed negotiation with the client (FD
> 21). The latter may have failed because the client did not like the
> certificate generated by Squid, but I did not check the exact failure
> reason carefully.
> 
> The snippet has no information about Squid sending the (generated)
> certificates to the client, but Squid appears to receive some generated
> certificate from the helper (crtGenRq3180846).
> 
> * If you are sure that the client gets a wrong certificate from Squid,
> then I recommend posting an ALL,9 log of the problematic transaction.
> With some luck, we may be able to see what went wrong with certificate
> generation (or virgin certificate validation??).

I have put the ALL,9 log here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914 <https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914>

I can see it generates the certificate correctly, but couldn’t identify why it didn’t return the cert to the client.

> 
> * Otherwise, I recommend double checking what certificate the client
> gets. If the client gets the correct generated certificate, then the
> problem is not in certificate validation or generation.
> 
> Posting the certificate that the client actually gets may help a lot
> with the triage as well.

The certificate that gets returned is in the logs as it’s the CA cert.

Thanks,
Greg

> 
> 
> HTH,
> 
> Alex.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210113/c9aa387c/attachment.htm>


More information about the squid-users mailing list