[squid-users] 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line

Alex Rousskov rousskov at measurement-factory.com
Tue Jul 11 17:34:47 UTC 2023


On 7/10/23 14:50, Franta Hanzlík wrote:
> After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the
> Squid refuses to start with the error message:
> 
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line

I suspect the actual problem is different than "no start line". Due to a 
mismatch between OpenSSL error handling approach and Squid code, Squid 
often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading 
code is especially prone to such mismatches! Refactoring OpenSSL error 
handling is an known to-do item.

Several different things could go wrong while showing the above 
symptoms, and there are several ways to troubleshoot this, but I would 
start with the following simple test.

Run the following (or similar) command on the same machine as Squid, 
using the same OS user as Squid ("nobody" in the example below), using 
the openssl tool from the same OpenSSL version as Squid was built with:

     sudo -u nobody \
     openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject

You should see the certificate subject field. Any warnings or errors?

If the above works fine, and the certificate file ownership/permissions 
look reasonable to you, then the next step could be to start Squid under 
"strace" or a similar tool to check whether some system call fails when 
OpenSSL is trying to load that certificate file. In most cases, you 
should be able to find the certificate filename in strace output and 
check for subsequent syscall errors (e.g., permission denied). We can 
help with that analysis, but be careful with posting private key 
contents. If you can, temporary replace that production certificate with 
some throw-away/temporary/example one.

Beyond that, I would recommend patching Squid to report the last OpenSSL 
error instead of the first one (in this context). This will require you 
to rebuild your Squid from sources. Please let me know if you want to 
pursue that and I will provide a patch.


HTH,

Alex.

> The problem is probably related to the reverse https proxy definition
> line in squid.conf :
> https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe

> server.pem is the symlink to realFile.pem with this content:
> -----BEGIN RSA PRIVATE KEY-----
> MIIEpQ...
> ...
> ...vo=
> -----END RSA PRIVATE KEY-----
> 
> -----BEGIN CERTIFICATE-----
> MIIGO...
> ...
> ...c5s=
> -----END CERTIFICATE-----
> 
> and it worked fine in the older Squid-4.0.23 version.
> 
> I tried:
> - tls-cert= instead of cert=
> - replacing the symlink server.pem with a real file.
> - arrange certificate in PEM file as first and key second
> - split PEM file into separate certificate and key and use it with syntax:
> 
> https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe
> 
> but squid still not start with this same message:
> ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line
> 
> Can anyone help?
> ---
> Thanks in advance! Franta Hanzlik
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list