[squid-users] certificate issuer not known
Majed Zouhairy
m_zouhairy at ckta.by
Wed Jun 23 11:56:40 UTC 2021
Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
on squid 4.15
it displays:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*
Failed to establish a secure connection to 104.130.201.120
The system returned:
(71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=Let's Encrypt/CN=R3
This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the
remote host does not support secure connections, or the proxy is not
satisfied with the host security credentials.
Your cache administrator is webmaster.
configuration:
http_port 3128 ssl-bump cert=/etc/squid/certs/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
# define acls for sites that must not be actively bumped
acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_allowed_hsts ssl::server_name .proxy.skko.by
#acl tls_server_is_bank ssl::server_name .abnamro.nl
#acl tls_server_is_bank ssl::server_name .abnamro.comacl
tls_server_is_bank ssl::server_name
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
# TLS/SSL bumping steps
ssl_bump peek tls_s1_connect # peek at TLS/SSL connect data
ssl_bump splice tls_to_splice # splice some: no active bump
ssl_bump stare all # stare(peek) at server
# properties of the webserver
ssl_bump bump # bump if we can (if the stare succeeded)
#ssl_bump peek all
#ssl_bump splice all
##ssl_bump server-first all
#sslproxy_cert_error allow all
cache_dir ufs /var/cache/squid 8000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
cache_mem 960 MB
netdb_filename none
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l
/var/log/squid/
url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9
what needs to be done to fix?
More information about the squid-users
mailing list