Search squid archive

Re: problems with ssl_crtd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19/09/12 16:46, Guy Helmer wrote:
> 
> On Sep 19, 2012, at 9:03 AM, Linos <info@xxxxxxxx> wrote:
> 
>> On 19/09/12 15:30, Guy Helmer wrote:
>>> On Sep 19, 2012, at 5:44 AM, Linos <info@xxxxxxxx> wrote:
>>>
>>>> Hi,
>>>> 	i have been using Squid squid-3.2.0.17-20120527-r11561 in an Ubuntu Server
>>>> 12.04 some time with ssl-bump without problems for a year, the ca cert expired
>>>> some days ago and with the new ca cert i installed squid 3.2.1 stable.
>>>>
>>>> Now the proxy exists every time 10 or more users use https at the same time,
>>>> it's pretty strange, i have tried to downgrade to the old squid version but i
>>>> can't get the proxy to be stable no matter if using new or old version, i have
>>>> tried to recreate other cert just in case, same problem, i recreated too
>>>> squid_ssl_db and cache_dir, no matter what i do it keeps crashing, the cache log
>>>> read as this:
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> 2012/09/19 11:58:00| Starting Squid Cache version 3.2.1 for x86_64-pc-linux-gnu...
>>>> 2012/09/19 11:58:00| Process ID 30077
>>>> 2012/09/19 11:58:00| Process Roles: master worker
>>>> 2012/09/19 11:58:00| With 65535 file descriptors available
>>>> 2012/09/19 11:58:00| Initializing IP Cache...
>>>> 2012/09/19 11:58:00| DNS Socket created at [::], FD 4
>>>> 2012/09/19 11:58:00| DNS Socket created at 0.0.0.0, FD 5
>>>> 2012/09/19 11:58:00| Adding nameserver 80.58.61.250 from squid.conf
>>>> 2012/09/19 11:58:00| Adding nameserver 8.8.8.8 from squid.conf
>>>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/10 'ssl_crtd' processes
>>>> 2012/09/19 11:58:00| helperOpenServers: Starting 5/20 'request_body_max_size.sh'
>>>> processes
>>>> 2012/09/19 11:58:00| Logfile: opening log daemon:/var/log/squid3/access.log
>>>> 2012/09/19 11:58:00| Logfile Daemon: opening log /var/log/squid3/access.log
>>>> 2012/09/19 11:58:00| Unlinkd pipe opened on FD 31
>>>> 2012/09/19 11:58:00| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
>>>> 2012/09/19 11:58:00| Store logging disabled
>>>> 2012/09/19 11:58:00| Swap maxSize 15360000 + 262144 KB, estimated 312442 objects
>>>> 2012/09/19 11:58:00| Target number of buckets: 15622
>>>> 2012/09/19 11:58:00| Using 16384 Store buckets
>>>> 2012/09/19 11:58:00| Max Mem  size: 262144 KB
>>>> 2012/09/19 11:58:00| Max Swap size: 15360000 KB
>>>> 2012/09/19 11:58:00| Rebuilding storage in /mnt/squid/squid3 (clean log)
>>>> 2012/09/19 11:58:00| Using Least Load store dir selection
>>>> 2012/09/19 11:58:00| Set Current Directory to /mnt/squid/squid3
>>>> 2012/09/19 11:58:00| Loaded Icons.
>>>> 2012/09/19 11:58:00| HTCP Disabled.
>>>> 2012/09/19 11:58:00| Squid plugin modules loaded: 0
>>>> 2012/09/19 11:58:00| Adaptation support is off.
>>>> 2012/09/19 11:58:00| Accepting NAT intercepted HTTP Socket connections at
>>>> local=0.0.0.0:3128 remote=[::] FD 36 flags=41
>>>> 2012/09/19 11:58:00| Accepting SSL bumped HTTP Socket connections at
>>>> local=[::]:3150 remote=[::] FD 37 flags=9
>>>> 2012/09/19 11:58:00| Store rebuilding is 16.55% complete
>>>> 2012/09/19 11:58:00| Done reading /mnt/squid/squid3 swaplog (24167 entries)
>>>> 2012/09/19 11:58:00| Finished rebuilding storage from disk.
>>>> 2012/09/19 11:58:00|     24167 Entries scanned
>>>> 2012/09/19 11:58:00|         0 Invalid entries.
>>>> 2012/09/19 11:58:00|         0 With invalid flags.
>>>> 2012/09/19 11:58:00|     24167 Objects loaded.
>>>> 2012/09/19 11:58:00|         0 Objects expired.
>>>> 2012/09/19 11:58:00|         0 Objects cancelled.
>>>> 2012/09/19 11:58:00|         0 Duplicate URLs purged.
>>>> 2012/09/19 11:58:00|         0 Swapfile clashes avoided.
>>>> 2012/09/19 11:58:00|   Took 0.12 seconds (204025.29 objects/sec).
>>>> 2012/09/19 11:58:00| Beginning Validation Procedure
>>>> 2012/09/19 11:58:00|   Completed Validation Procedure
>>>> 2012/09/19 11:58:00|   Validated 24167 Entries
>>>> 2012/09/19 11:58:00|   store_swap_size = 732468.00 KB
>>>> 2012/09/19 11:58:01| storeLateRelease: released 0 objects
>>>> (ssl_crtd): Cannot create ssl certificate or private key.
>>>> 2012/09/19 12:03:20| WARNING: ssl_crtd #1 exited
>>>> 2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
>>>> 2012/09/19 12:03:20| Starting new helpers
>>>> 2012/09/19 12:03:20| helperOpenServers: Starting 1/10 'ssl_crtd' processes
>>>> 2012/09/19 12:03:20| client_side.cc(3477) sslCrtdHandleReply: "ssl_crtd" helper
>>>> return <NULL> reply
>>>> (ssl_crtd): Cannot create ssl certificate or private key.
>>>> 2012/09/19 12:03:20| WARNING: ssl_crtd #2 exited
>>>> 2012/09/19 12:03:20| Too few ssl_crtd processes are running (need 1/10)
>>>> 2012/09/19 12:03:20| Closing HTTP port 0.0.0.0:3128
>>>> 2012/09/19 12:03:20| Closing HTTP port [::]:3150
>>>> 2012/09/19 12:03:20| storeDirWriteCleanLogs: Starting...
>>>> 2012/09/19 12:03:20|   Finished.  Wrote 24195 entries.
>>>> 2012/09/19 12:03:20|   Took 0.02 seconds (1321120.45 entries/sec).
>>>> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>>>>
>>>> Squid Cache (Version 3.2.1): Terminated abnormally.
>>>> CPU Usage: 1.896 seconds = 0.740 user + 1.156 sys
>>>> Maximum Resident Size: 144640 KB
>>>> Page faults with physical i/o: 0
>>>> Memory usage for squid via mallinfo():
>>>>       total space in arena:   18900 KB
>>>>       Ordinary blocks:        18674 KB     54 blks
>>>>       Small blocks:               0 KB      1 blks
>>>>       Holding blocks:         37552 KB      9 blks
>>>>       Free Small blocks:          0 KB
>>>>       Free Ordinary blocks:     225 KB
>>>>       Total in use:           56226 KB 297%
>>>>       Total free:               225 KB 1%
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> configure and kernel versions:
>>>>
>>>> kernel: 3.2.0-29-generic #46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012 x86_64
>>>> x86_64 x86_64 GNU/Linux
>>>>
>>>> Squid Cache: Version 3.2.1
>>>> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
>>>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>>>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
>>>> '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
>>>> '--disable-dependency-tracking' '--disable-silent-rules'
>>>> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
>>>> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline'
>>>> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
>>>> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>>>> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
>>>> '--enable-follow-x-forwarded-for' '--enable-auth-basic' '--enable-auth-digest'
>>>> '--enable-auth-ntlm' '--enable-auth-negotiate'
>>>> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
>>>> '--enable-ntlm-auth-helpers=smb_lm,'
>>>> '--enable-digest-auth-helpers=ldap,password'
>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>>>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>>>> '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2'
>>>> '--disable-translation' '--with-logdir=/var/log/squid3'
>>>> '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
>>>> '--with-large-files' '--with-default-user=proxy' '--enable-ssl'
>>>> '--enable-ssl-crtd' '--disable-epoll' '--enable-linux-netfilter'
>>>> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
>>>> --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security'
>>>> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
>>>> 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
>>>> --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security'
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> i get this in dmesg:
>>>>
>>>> [3433312.743391] init: squid3 main process (29801) terminated with status 1
>>>> [3433417.181960] ssl_crtd[29848]: segfault at 0 ip 00007f2ee2494ac5 sp
>>>> 00007fff51dbd260 error 4 in ssl_crtd[7f2ee248b000+10000]
>>>> [3433417.328898] init: squid3 main process (29847) terminated with status 1
>>>> [3433557.765878] init: squid3 main process (29877) killed by KILL signal
>>>> [3433944.030777] init: squid3 main process (30077) terminated with status 1
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>
>>> OK, ssl_crtd is dying with a segfault when it is handling a request. 
>>>
>>> What is in the squid_ssl_db/size file? If it is empty (0 bytes), that would cause a crash in older (pre-3.2.1) squid. 
>>>
>>> Otherwise, is there an ssl_crtd core file in the squid log directory? A stack trace from it might help diagnose the problem.
>>>
>>> Guy
>>>
>>
>> Thanks for reply.
>>
>> i checked the squid_ssl_db/size because i found the empty file problem searching
>> for my own problem in the mailing list, it's ok in my host, the file have the
>> content "139264" right now.
>>
>> I can't found the core file, do i need to do something for it to generate? maybe
>> a configure script option or squid.conf change to activate it?
>>
>> Regards,
>> Miguel Angel.
> 
> I have
> 
> coredump_dir /var/log/squid
> 
> to get coredumps in my /var/log/squid directory. Now that I think about it, I don't remember if this works for ssl_crtd though -- seems like I have had to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, then generate HTTPS traffic to trigger the request to ssl_crtd and get a backtrace when ssl_crtd gets the segfault signal…
> 
> Guy
> 

I have defined a coredump_dir but don't seems to work, probably squid would only
coredump itself, i will try to obtain a backtrace with gdb.

Miguel Angel.


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux