[squid-users] Unable to access a device over port 4434

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 17 03:45:28 UTC 2024 

On 16/10/24 09:39, Piana, Josh wrote:
> Amos,
> 
> Thank you for getting back to me and clarifying.
> 
> I ran this command:
> #wget -Y off 172.27.46.253
> 
> Response:
> --2024-10-15 16:36:15--  http://172.27.46.253/
> Connecting to 172.27.46.253:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://172.27.46.253/ [following]
> --2024-10-15 16:36:15--  https://172.27.46.253/
> Connecting to 172.27.46.253:443... connected.

The TCP here is fully working, on both ports.

The followup hang you mentioned was likely due to a mistake in your 
followup test (that extra '4' typo?).


> ERROR: The certificate of '172.27.46.253' is not trusted.
> ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
> The certificate's owner does not match hostname '172.27.46.253'
> 

There you go. Two problems to resolve.

First Problem;  unknown "Issuer" (aka root or intermediate CA certificate).

Please use this to find out what details need to be retrieved:
   wget -v --no-proxy https://172.27.46.253/


Find the public CA certificate for the missing "Issuer".

Further tests with wget should use:
   wget -v --no-proxy \
     --ca-certificate=/path/to/server.ca https://172.27.46.253/

When wget test shows trust of the server certificate working, Squid 
should be configured to use it for checking too:
    tsl_outgoing_options ca=/path/to/server.ca
or
   cache_peer 172.27.46.253 443 0 originserver tls-ca=/path/to/server.ca


Second Problem;  mismatch between "172.27.46.253" and "Owner" (or 
maybe"SubjectAltName" fields).

The wget output when troubleshooting for the first problem should give 
more hints about what this means.



> So with the errors given, would that stop us from connecting to it? Typically with sites with trust issues or certification issues, you can still bypass it. We'd like to do the same here if applicable.

One could, but your wget command does not.


FYI, It is also a bad idea to bypass unless you really have to. 
Especially bad to bypass unknown amount of things when trying to 
identify reasons for failure.


Amos

More information about the squid-users mailing list