Search squid archive

Re: reverse proxy with SSL offloader issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 02 Jun 2009 16:56:08 +0400, Mario Remy Almeida
<malmeida@xxxxxxxxxxxxxx> wrote:
> Hi All,
> 
> I downloaded SSL Certificate from verisign and exported pvt key from
> windows 2003 server
> 
> in squid.conf I have this
> 
> https_port 10.200.22.49:443 accel \
> cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \
> key=/etc/squid/keys/pvtkey.pem defaultsite=mail.airarabia.ae
> 
> when access https://mail.airarabia.ae 
> browser gives error 
> 
> Secure Connection Failed
> mail.airarabia.ae uses an invalid security certificate.
> 
> The certificate is not trusted because the issuer certificate is
> unknown.
> 
> (Error code: sec_error_unknown_issuer)
>     * This could be a problem with the server's configuration, or it
> could be someone trying to impersonate the server.
> 
>     * If you have connected to this server successfully in the past, the
> error may be temporary, and you can try again later.
> 
> and in cache.log I get this
> 
> clientNegotiateSSL: Error negotiating SSL connection on FD 23:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 
> 
> What could be the problem please help
> 

SSL chain of trust is broken on one of the SSL links.

Two things to try:
 1) adding sslflags=DONT_VERIFY_PEER  - If that works its the cache_peer
link broken. If still fails then its the https_port certificate.

Next look at the certificate itself, see if it contains the whole chain of
trust (concatenated certificate + signing authority cert).
I'm a bit hazy about whether the https_port needs the signing authority in
it or not when the certs are of the unlinked chain type (I forget what the
right name is even). But I think cache_peer needs the full chain to be in
the cert.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux