On Tue, 02 Jun 2009 16:56:08 +0400, Mario Remy Almeida <malmeida@xxxxxxxxxxxxxx> wrote: > Hi All, > > I downloaded SSL Certificate from verisign and exported pvt key from > windows 2003 server > > in squid.conf I have this > > https_port 10.200.22.49:443 accel \ > cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \ > key=/etc/squid/keys/pvtkey.pem defaultsite=mail.airarabia.ae > > when access https://mail.airarabia.ae > browser gives error > > Secure Connection Failed > mail.airarabia.ae uses an invalid security certificate. > > The certificate is not trusted because the issuer certificate is > unknown. > > (Error code: sec_error_unknown_issuer) > * This could be a problem with the server's configuration, or it > could be someone trying to impersonate the server. > > * If you have connected to this server successfully in the past, the > error may be temporary, and you can try again later. > > and in cache.log I get this > > clientNegotiateSSL: Error negotiating SSL connection on FD 23: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) > > > What could be the problem please help > SSL chain of trust is broken on one of the SSL links. Two things to try: 1) adding sslflags=DONT_VERIFY_PEER - If that works its the cache_peer link broken. If still fails then its the https_port certificate. Next look at the certificate itself, see if it contains the whole chain of trust (concatenated certificate + signing authority cert). I'm a bit hazy about whether the https_port needs the signing authority in it or not when the certs are of the unlinked chain type (I forget what the right name is even). But I think cache_peer needs the full chain to be in the cert. Amos