Hi Amos, I don't know how to check the chain of trust I concatenated the csr and the certficate but how to do so i don't know can you please tell me? =========== squid.conf ================ https_port 10.200.22.49:443 accel \ cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \ key=/etc/squid/keys/newpvtkey.pem defaultsite=mail.airarabia.ae cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \ front-end-https=on name=owaServer sslflags=DONT_VERIFY_PEER //Remy On Wed, 2009-06-03 at 12:51 +1200, Amos Jeffries wrote: > On Tue, 02 Jun 2009 16:56:08 +0400, Mario Remy Almeida > <malmeida@xxxxxxxxxxxxxx> wrote: > > Hi All, > > > > I downloaded SSL Certificate from verisign and exported pvt key from > > windows 2003 server > > > > in squid.conf I have this > > > > https_port 10.200.22.49:443 accel \ > > cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \ > > key=/etc/squid/keys/pvtkey.pem defaultsite=mail.airarabia.ae > > > > when access https://mail.airarabia.ae > > browser gives error > > > > Secure Connection Failed > > mail.airarabia.ae uses an invalid security certificate. > > > > The certificate is not trusted because the issuer certificate is > > unknown. > > > > (Error code: sec_error_unknown_issuer) > > * This could be a problem with the server's configuration, or it > > could be someone trying to impersonate the server. > > > > * If you have connected to this server successfully in the past, the > > error may be temporary, and you can try again later. > > > > and in cache.log I get this > > > > clientNegotiateSSL: Error negotiating SSL connection on FD 23: > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) > > > > > > What could be the problem please help > > > > SSL chain of trust is broken on one of the SSL links. > > Two things to try: > 1) adding sslflags=DONT_VERIFY_PEER - If that works its the cache_peer > link broken. If still fails then its the https_port certificate. > > Next look at the certificate itself, see if it contains the whole chain of > trust (concatenated certificate + signing authority cert). > I'm a bit hazy about whether the https_port needs the signing authority in > it or not when the certs are of the unlinked chain type (I forget what the > right name is even). But I think cache_peer needs the full chain to be in > the cert. > > Amos > ------------------------------------------------------------------------------ Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.
