Try to create the ssl_db without sudo . There seems to be a problem with the permissions on that directory. Also change the group ownership of ssl_db to "nobody". I hope that helps On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan <jason_sloan@xxxxxxxxx> wrote: > I’m setting up dynamic SSL cert generation on a Centos 6.3 (i686) platform > but I can’t seem to get ssl-crtd to believe it’s initialized. Perhaps I’m > missing something. Either way I could use another set of eyes / ideas. > > I have compiled the latest stable release (3.2.5) and installed it. Packaged > release was not compiled with --enable-ssl-crtd. > > When starting squid I get a message in cache.log from ssl-crtd that it > believes the SSL Certificate database is uninitialized…. > > However I have executed the following: > > sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization > SSL db... > Done > > I can even execute ssl-crtd outside of squid and get a response…. > > sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB > new_certificate 13 host=test.com > OK 1531 -----BEGIN CERTIFICATE----- > MIIBmDCC… > -----END CERTIFICATE----- > -----BEGIN PRIVATE KEY----- > MIICdgIBADANBgkqhki… > -----END PRIVATE KEY----- > ^C > > I have even attemted to chmod –R 777 /var/squid/ssl_db with no success. > > 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for > i686-pc-linux-gnu... > 2013/01/09 12:49:37 kid1| Process ID 26793 > 2013/01/09 12:49:37 kid1| Process Roles: worker > 2013/01/09 12:49:37 kid1| With 16384 file descriptors available > 2013/01/09 12:49:37 kid1| Initializing IP Cache... > 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7 > 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8 > 2013/01/09 12:49:37 kid1| Adding domain gaming.local from /etc/resolv.conf > 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf > 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf > 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' > processes > 2013/01/09 12:49:37 kid1| Logfile: opening log > daemon:/var/log/squid/access.log > 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log > /var/log/squid/access.log > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > 2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite every > 3600/3600 sec > 2013/01/09 12:49:37 kid1| Store logging disabled > 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 > objects > 2013/01/09 12:49:37 kid1| Target number of buckets: 1008 > 2013/01/09 12:49:37 kid1| Using 8192 Store buckets > 2013/01/09 12:49:37 kid1| Max Mem size: 262144 KB > 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB > 2013/01/09 12:49:37 kid1| Using Least Load store dir selection > 2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid > 2013/01/09 12:49:37 kid1| Loaded Icons. > 2013/01/09 12:49:37 kid1| HTCP Disabled. > 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0 > 2013/01/09 12:49:37 kid1| Adaptation support is off. > 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections at > local=[::]:3128 remote=[::] FD 21 flags=9 > 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited > 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need 1/5) > 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128 > 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting... > 2013/01/09 12:49:37 kid1| Finished. Wrote 0 entries. > 2013/01/09 12:49:37 kid1| Took 0.00 seconds ( 0.00 entries/sec). > FATAL: The ssl_crtd helpers are crashing too rapidly, need help! > > Squid Cache (Version 3.2.5): Terminated abnormally. > CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size: > 50304 KB Page faults with physical i/o: 0 Memory usage for squid via > mallinfo(): > total space in arena: 4784 KB > Ordinary blocks: 4655 KB 8 blks > Small blocks: 0 KB 0 blks > Holding blocks: 7252 KB 6 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 128 KB > Total in use: 11907 KB 249% > Total free: 128 KB 3% > > Full configure used in compile here: > ./configure \ > --exec_prefix=/usr \ > --libexecdir=/usr/lib/squid \ > --includedir=/usr/include \ > --localstatedir=/var \ > --datadir=/usr/share/squid \ > --bindir=/usr/sbin \ > --sysconfdir=/etc/squid \ > --with-logdir='/var/log/squid' \ > --with-pidfile='/var/run/squid.pid' \ > --disable-dependency-tracking \ > --enable-arp-acl \ > --enable-follow-x-forwarded-for \ > > --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SA > SL,DB,POP3,squid_radius_auth" \ > --enable-auth-digest="password,ldap,eDirectory" \ > --enable-auth-ntlm="smb_lm,no_check,fakeauth" \ > --enable-auth-negotiate \ > > --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_ > group" \ > --enable-cache-digests \ > --enable-cachemgr-hostname=localhost \ > --enable-delay-pools \ > --enable-epoll \ > --enable-icap-client \ > --enable-ident-lookups \ > --with-large-files \ > --enable-linux-netfilter \ > --enable-referer-log \ > --enable-removal-policies="heap,lru" \ > --enable-snmp \ > --enable-ssl \ > --enable-ssl-crtd \ > --enable-storeio="aufs,diskd,ufs" \ > --enable-useragent-log \ > --enable-wccpv2 \ > --enable-esi \ > --with-aio \ > --with-default-user="squid" \ > --with-filedescriptors=16384 \ > --with-dl \ > --with-openssl \ > --with-pthreads > > Relevant squid.conf settings: > > # Squid normally listens to port 3128 > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer > key=/etc/squid/squid.key > > # Squid SSL Certificate Daemon Options > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB > sslcrtd_children 5 > > Thanks in advance! > > -- Regards, -Ahmed Talha Khan