On 20/09/12 12:58, Ahmed Talha Khan wrote: > Hey Guy, All > > I have started facing a very similar issue now.I have been using > squid-3.HEAD-20120421-r12120 for about 5 months without any issues. > Suddenly from yesterday ive started getting crahses in ssl_crtd > process. > > > In my case i am the only user but i observe that the behaviour is > random. Sometimes it crashes and sometimes it works. Different https > pages give the crash. Even non https pages have caused the crash. > > These occur especially on google https pages like docs,mail,calender etc.. > > The signing cert is also ok and has NOT expired. > > > My squid conf looks like this: > ******************************************************* > sslproxy_cert_error allow all > > sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s > /usr/local/squid-3.3/var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB > cert=/home/asif/squid/www.sample.com.pem > key=/home/asif/squid/www.sample.com.pem > > http_port 192.168.8.134:8080 > > https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB > cert=/home/asif/squid/www.sample.com.pem > key=/home/asif/squid/www.sample.com.pem > ******************************************************* > > The ssl_db directory is initialized properly with correct permissions. > > *********************************************************** > [talha@localhost lib]$ pwd > /usr/local/squid-3.3/var/lib > > [talha@localhost lib]$ ls -al > total 24 > drwxrwxrwx 3 root root 4096 Sep 20 15:31 . > drwxrwxrwx 6 root root 4096 Sep 20 15:05 .. > drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db > > The size file also has some values in it and cert generation also > seems to work but suddenly it all crashes . > ************************************************************** > > > > 2012/09/20 14:57:45| Starting Squid Cache version > 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu... > 2012/09/20 14:57:45| Process ID 23826 > 2012/09/20 14:57:45| Process Roles: master worker > 2012/09/20 14:57:45| With 1024 file descriptors available > 2012/09/20 14:57:45| Initializing IP Cache... > 2012/09/20 14:57:45| DNS Socket created at [::], FD 5 > 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6 > 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf > 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf > 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes > 2012/09/20 14:57:45| Logfile: opening log > daemon:/usr/local/squid-3.3/var/logs/access.log > 2012/09/20 14:57:45| Logfile Daemon: opening log > /usr/local/squid-3.3/var/logs/access.log > 2012/09/20 14:57:45| Logfile: opening log /usr/local/squid-3.3/var/logs/icap-log > 2012/09/20 14:57:45| WARNING: log parameters now start with a module > name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log' > > > 2012/09/20 14:57:45| Store logging disabled > 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects > 2012/09/20 14:57:45| Target number of buckets: 1008 > 2012/09/20 14:57:45| Using 8192 Store buckets > 2012/09/20 14:57:45| Max Mem size: 262144 KB > 2012/09/20 14:57:45| Max Swap size: 0 KB > 2012/09/20 14:57:45| Using Least Load store dir selection > 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache > 2012/09/20 14:57:45| Loaded Icons. > 2012/09/20 14:57:45| HTCP Disabled. > 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13) > Permission denied > 2012/09/20 14:57:45| WARNING: Could not write pid file > 2012/09/20 14:57:45| Squid plugin modules loaded: 0 > 2012/09/20 14:57:45| Adaptation support is on > 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at > local=192.168.8.134:3128 remote=[::] FD 20 flags=9 > 2012/09/20 14:57:45| Accepting HTTP Socket connections at > local=192.168.8.134:8080 remote=[::] FD 21 flags=9 > 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at > local=192.168.8.134:3129 remote=[::] FD 22 flags=9 > 2012/09/20 14:57:46| storeLateRelease: released 0 objects > > (ssl_crtd): Cannot create ssl certificate or private key. > 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited > 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5) > > 2012/09/20 14:58:23| Starting new helpers > 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes > 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply: > "ssl_crtd" helper return <NULL> reply > (ssl_crtd): Cannot create ssl certificate or private key. > > 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited > 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5) > 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting... > 2012/09/20 14:58:23| Finished. Wrote 0 entries. > 2012/09/20 14:58:23| Took 0.00 seconds ( 0.00 entries/sec). > FATAL: The ssl_crtd helpers are crashing too rapidly, need help! > > Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally. > CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys > Maximum Resident Size: 71104 KB > Page faults with physical i/o: 0 > Memory usage for squid via mallinfo(): > total space in arena: 11924 KB > Ordinary blocks: 11818 KB 49 blks > Small blocks: 0 KB 0 blks > Holding blocks: 664 KB 2 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 105 KB > > > > > > > On Thu, Sep 20, 2012 at 2:52 PM, Linos <info@xxxxxxxx> wrote: >> On 19/09/12 16:46, Guy Helmer wrote: >>>> >>>> Thanks for reply. >>>> >>>> i checked the squid_ssl_db/size because i found the empty file problem searching >>>> for my own problem in the mailing list, it's ok in my host, the file have the >>>> content "139264" right now. >>>> >>>> I can't found the core file, do i need to do something for it to generate? maybe >>>> a configure script option or squid.conf change to activate it? >>>> >>>> Regards, >>>> Miguel Angel. >>> >>> I have >>> >>> coredump_dir /var/log/squid >>> >>> to get coredumps in my /var/log/squid directory. Now that I think about it, I don't remember if this works for ssl_crtd though -- seems like I have had to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, then generate HTTPS traffic to trigger the request to ssl_crtd and get a backtrace when ssl_crtd gets the segfault signal… >>> >>> Guy >>> >> >> Hi, >> i have been trying to debug with gdb attaching existing process, the strange >> it's that ssl_ctrd seems to exit normally in this test, here you have it (sorry >> for the spanish locale, i will use english next time, the only file with symbols >> it's ssl_crtd itself): >> >> -------------------------------------------------------------------------------- >> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04 >> Copyright (C) 2012 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-linux-gnu". >> Para las instrucciones de informe de errores, vea: >> <http://bugs.launchpad.net/gdb-linaro/>. >> (gdb) attach 10495 >> Adjuntando a process 10495 >> Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde >> /usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho. >> hecho. >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6 >> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos >> de depuración)hecho. >> Símbolos cargados para /lib64/ld-linux-x86-64.so.2 >> 0x00007f3ef414f0a0 in read () from /lib/x86_64-linux-gnu/libc.so.6 >> (gdb) continue >> Continuando. >> [Inferior 1 (process 10495) exited normally] >> (gdb) bt >> No stack. >> >> -------------------------------------------------------------------------------- >> >> I have tried attaching to squid3 process itself and i have received a signal here: >> >> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04 >> Copyright (C) 2012 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-linux-gnu". >> Para las instrucciones de informe de errores, vea: >> <http://bugs.launchpad.net/gdb-linaro/>. >> (gdb) attach 10732 >> Adjuntando a process 10732 >> Leyendo símbolos desde /usr/sbin/squid3...coLeyendo símbolos desde >> /usr/lib/debug/usr/sbin/squid3...ntinue >> hecho. >> hecho. >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libpthread.so.0...(no se >> encontraron símbolos de depuración)hecho. >> [Depuración de hilo usando libthread_db enabled] >> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >> Símbolos cargados para /lib/x86_64-linux-gnu/libpthread.so.0 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libxml2.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libxml2.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libexpat.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libexpat.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libssl.so.0.9.8...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libssl.so.0.9.8 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5.so.3...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5.so.3 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcom_err.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libcom_err.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcap.so.2...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libcap.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/librt.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/librt.so.1 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libltdl.so.7...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libltdl.so.7 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6 >> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos >> de depuración)hecho. >> Símbolos cargados para /lib64/ld-linux-x86-64.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libk5crypto.so.3...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 >> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5support.so.0...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libkeyutils.so.1...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libkeyutils.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libresolv.so.2...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libresolv.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_files.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_files.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_compat.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_compat.so.2 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnsl.so.1...(no se encontraron >> símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libnsl.so.1 >> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_nis.so.2...(no se >> encontraron símbolos de depuración)hecho. >> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_nis.so.2 >> 0x00007f7d6243dac8 in poll () from /lib/x86_64-linux-gnu/libc.so.6 >> (gdb) continue >> Continuando. >> >> Program received signal SIGPIPE, Broken pipe. >> 0x00007f7d647becb0 in __write_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0 >> (gdb) bt >> #0 0x00007f7d647becb0 in __write_nocancel () from >> /lib/x86_64-linux-gnu/libpthread.so.0 >> #1 0x00007f7d63d075c5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8 >> #2 0x00007f7d63d05247 in BIO_write () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8 >> #3 0x00007f7d63ffafc4 in ssl3_write_pending () from >> /lib/x86_64-linux-gnu/libssl.so.0.9.8 >> #4 0x00007f7d63ffc853 in ssl3_dispatch_alert () from >> /lib/x86_64-linux-gnu/libssl.so.0.9.8 >> #5 0x00007f7d63ff9442 in ssl3_shutdown () from >> /lib/x86_64-linux-gnu/libssl.so.0.9.8 >> #6 0x00007f7d64e8f0f4 in AsyncCall::make (this=0x7f7d687eb390) at AsyncCall.cc:36 >> #7 0x00007f7d64e92117 in AsyncCallQueue::fireNext (this=<optimized out>) at >> AsyncCallQueue.cc:54 >> #8 0x00007f7d64e92270 in AsyncCallQueue::fire (this=0x7f7d66f5f2c0) at >> AsyncCallQueue.cc:40 >> #9 0x00007f7d64d7c494 in EventLoop::runOnce (this=0x7fff630b3e60) at >> EventLoop.cc:131 >> #10 0x00007f7d64d7c568 in EventLoop::run (this=0x7fff630b3e60) at EventLoop.cc:95 >> #11 0x00007f7d64ddc039 in SquidMain (argc=<optimized out>, argv=<optimized out>) >> at main.cc:1500 >> #12 0x00007f7d64d10b76 in SquidMainSafe (argv=<optimized out>, argc=<optimized >> out>) at main.cc:1215 >> #13 main (argc=<optimized out>, argv=<optimized out>) at main.cc:1207 >> >> Any ideas what's going on with this information? Thansk! >> >> Regards, >> Miguel Angel. > > > Hi Ahmed, did you found a way to fix or workaround this? i can't get a backtrace with the information needed and no matter what i try it keeps failing, i had to disable ssl and my users are a bit upset. Regards, Miguel Angel.