Search squid archive

Re: Dynamic SSL Certificate Generation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25/11/2012 6:57 a.m., Aleksandr Tatarinov wrote:
I am trying to get SSL bumping to work on my CentOS system.
I am using these options in my squid.conf http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5
Here is the output of cache.log 2012/11/24 00:57:39| Starting Squid Cache version 3.2.3 for x86_64-unknown-linux-gnu...
2012/11/24 00:57:39| Process ID 53204
2012/11/24 00:57:39| Process Roles: master worker
2012/11/24 00:57:39| With 1024 file descriptors available
2012/11/24 00:57:39| Initializing IP Cache...
2012/11/24 00:57:39| DNS Socket created at [::], FD 5
2012/11/24 00:57:39| DNS Socket created at 0.0.0.0, FD 6
2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf
2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf
2012/11/24 00:57:39| Adding nameserver 192.168.253.2 from /etc/resolv.conf
2012/11/24 00:57:39| helperOpenServers: Starting 5/5 'ssl_crtd' processes
(ssl_crtd):
  Uninitialized SSL certificate database directory:
/usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/usr/local/squid/var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL
certificate database directory: /usr/local/squid/var/lib/ssl_db. To
initialize, run "ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db".
(ssl_crtd):
  Uninitialized SSL certificate database directory:
/usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/usr/local/squid/var/lib/ssl_db".
2012/11/24 00:57:39| Logfile: opening log daemon:/var/log/access.log
2012/11/24 00:57:39| Logfile Daemon: opening log /var/log/access.log
2012/11/24 00:57:39| Store logging disabled
2012/11/24 00:57:39| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/11/24 00:57:39| Target number of buckets: 1008
2012/11/24 00:57:39| Using 8192 Store buckets
2012/11/24 00:57:39| Max Mem  size: 262144 KB
2012/11/24 00:57:39| Max Swap size: 0 KB
2012/11/24 00:57:39| Using Least Load store dir selection
2012/11/24 00:57:39| Set Current Directory to /var/cache/squid
(ssl_crtd):
  Uninitialized SSL certificate database directory:
/usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/usr/local/squid/var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL
certificate database directory: /usr/local/squid/var/lib/ssl_db. To
initialize, run "ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db".
2012/11/24 00:57:39| Loaded Icons.
2012/11/24 00:57:39| HTCP Disabled.
2012/11/24 00:57:39| Squid plugin modules loaded: 0
2012/11/24 00:57:39| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9
2012/11/24 00:57:39| WARNING: ssl_crtd #1 exited
2012/11/24 00:57:39| Too few ssl_crtd processes are running (need 1/5)
2012/11/24 00:57:39| Closing HTTP port [::]:3128
2012/11/24 00:57:39| storeDirWriteCleanLogs: Starting...
2012/11/24 00:57:39|   Finished.  Wrote 0 entries.
2012/11/24 00:57:39|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
Squid Cache (Version 3.2.3): Terminated abnormally.
CPU Usage: 0.051 seconds = 0.023 user + 0.028 sys
Maximum Resident Size: 44192 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
     total space in arena:    4908 KB
     Ordinary blocks:         4848 KB      8 blks
     Small blocks:               0 KB      1 blks
     Holding blocks:           664 KB      2 blks
     Free Small blocks:          0 KB
     Free Ordinary blocks:      59 KB
     Total in use:            5512 KB 112%
     Total free:                59 KB 1%
I see that it complains about the certificate db which is not initialized, so I run:
[root@localhost ssl_cert]# /usr/lib/squid/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db
Initialization SSL db...
/usr/lib/squid/ssl_crtd: Cannot create /usr/local/squid/var/lib/ssl_db
I have the correct ownership and file permissions set to /usr/local/squid/var/lib/ssl_db
[root@localhost ssl_cert]# ls -l /usr/local/squid/var/lib/
total 4
drwxr-xr-x. 2 proxy proxy 4096 Nov 24 00:48 ssl_db
How can I get this to work?

group/other do not have write permissions so root cannot create things in there. Try running the tool as the proxy user.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux