Search squid archive

Re: ssl_crtd reporting certificate database as uninitialized

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Try to create the ssl_db without sudo . There seems to be a problem
with the permissions on that directory. Also change the group
ownership of ssl_db to "nobody". I hope that helps

On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan <jason_sloan@xxxxxxxxx> wrote:
> I’m setting up dynamic SSL cert generation on a Centos 6.3 (i686) platform
> but I can’t seem to get ssl-crtd to believe it’s initialized. Perhaps I’m
> missing something. Either way I could use another set of eyes / ideas.
>
> I have compiled the latest stable release (3.2.5) and installed it. Packaged
> release was not compiled with --enable-ssl-crtd.
>
> When starting squid I get a message in cache.log from ssl-crtd that it
> believes the SSL Certificate database is uninitialized….
>
> However I have executed the following:
>
> sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization
> SSL db...
> Done
>
> I can even execute ssl-crtd outside of squid and get a response….
>
> sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> new_certificate 13 host=test.com
> OK 1531 -----BEGIN CERTIFICATE-----
> MIIBmDCC…
> -----END CERTIFICATE-----
> -----BEGIN PRIVATE KEY-----
> MIICdgIBADANBgkqhki…
> -----END PRIVATE KEY-----
> ^C
>
> I have even attemted to chmod –R 777 /var/squid/ssl_db with no success.
>
> 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
> i686-pc-linux-gnu...
> 2013/01/09 12:49:37 kid1| Process ID 26793
> 2013/01/09 12:49:37 kid1| Process Roles: worker
> 2013/01/09 12:49:37 kid1| With 16384 file descriptors available
> 2013/01/09 12:49:37 kid1| Initializing IP Cache...
> 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
> 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
> 2013/01/09 12:49:37 kid1| Adding domain gaming.local from /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
> processes
> 2013/01/09 12:49:37 kid1| Logfile: opening log
> daemon:/var/log/squid/access.log
> 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
> /var/log/squid/access.log
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> 2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite every
> 3600/3600 sec
> 2013/01/09 12:49:37 kid1| Store logging disabled
> 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
> objects
> 2013/01/09 12:49:37 kid1| Target number of buckets: 1008
> 2013/01/09 12:49:37 kid1| Using 8192 Store buckets
> 2013/01/09 12:49:37 kid1| Max Mem  size: 262144 KB
> 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
> 2013/01/09 12:49:37 kid1| Using Least Load store dir selection
> 2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid
> 2013/01/09 12:49:37 kid1| Loaded Icons.
> 2013/01/09 12:49:37 kid1| HTCP Disabled.
> 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
> 2013/01/09 12:49:37 kid1| Adaptation support is off.
> 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections at
> local=[::]:3128 remote=[::] FD 21 flags=9
> 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
> 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need 1/5)
> 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
> 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
> 2013/01/09 12:49:37 kid1|   Finished.  Wrote 0 entries.
> 2013/01/09 12:49:37 kid1|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.2.5): Terminated abnormally.
> CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size:
> 50304 KB Page faults with physical i/o: 0 Memory usage for squid via
> mallinfo():
>         total space in arena:    4784 KB
>         Ordinary blocks:         4655 KB      8 blks
>         Small blocks:               0 KB      0 blks
>         Holding blocks:          7252 KB      6 blks
>         Free Small blocks:          0 KB
>         Free Ordinary blocks:     128 KB
>         Total in use:           11907 KB 249%
>         Total free:               128 KB 3%
>
> Full configure used in compile here:
> ./configure \
>    --exec_prefix=/usr \
>    --libexecdir=/usr/lib/squid \
>    --includedir=/usr/include \
>    --localstatedir=/var \
>    --datadir=/usr/share/squid \
>    --bindir=/usr/sbin \
>    --sysconfdir=/etc/squid \
>    --with-logdir='/var/log/squid' \
>    --with-pidfile='/var/run/squid.pid' \
>    --disable-dependency-tracking \
>    --enable-arp-acl \
>    --enable-follow-x-forwarded-for \
>
> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SA
> SL,DB,POP3,squid_radius_auth" \
>    --enable-auth-digest="password,ldap,eDirectory" \
>    --enable-auth-ntlm="smb_lm,no_check,fakeauth" \
>    --enable-auth-negotiate \
>
> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_
> group" \
>    --enable-cache-digests \
>    --enable-cachemgr-hostname=localhost \
>    --enable-delay-pools \
>    --enable-epoll \
>    --enable-icap-client \
>    --enable-ident-lookups \
>    --with-large-files \
>    --enable-linux-netfilter \
>    --enable-referer-log \
>    --enable-removal-policies="heap,lru" \
>    --enable-snmp \
>    --enable-ssl \
>    --enable-ssl-crtd \
>    --enable-storeio="aufs,diskd,ufs" \
>    --enable-useragent-log \
>    --enable-wccpv2 \
>    --enable-esi \
>    --with-aio \
>    --with-default-user="squid" \
>    --with-filedescriptors=16384 \
>    --with-dl \
>    --with-openssl \
>    --with-pthreads
>
> Relevant squid.conf settings:
>
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer
> key=/etc/squid/squid.key
>
> # Squid SSL Certificate Daemon Options
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> sslcrtd_children 5
>
> Thanks in advance!
>
>



-- 
Regards,
-Ahmed Talha Khan



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux