Are the parent directories of ssl_db writeable by the squid user?You might want to look at that too On Thu, Jan 10, 2013 at 7:40 AM, Jason A. Sloan <jason_sloan@xxxxxxxxx> wrote: > No joy. > > I initially ran the ssl_crtd command as root before using sudo to run it as > the squid user. Regardless I tried that to no avail. > > As root: > > Deleted existing ssl_db implementation. > > /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db > Initialization SSL db... > Done > > chown -R squid:nobody ssl_db/ > > Attempt to start died with same error message: > (ssl_crtd): Uninitialized SSL certificate database directory: > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". > ... > FATAL: The ssl_crtd helpers are crashing too rapidly, need help! > > -----Original Message----- > From: Ahmed Talha Khan [mailto:auny87@xxxxxxxxx] > Sent: Wednesday, January 09, 2013 1:56 PM > To: Jason A. Sloan > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: ssl_crtd reporting certificate database as > uninitialized > > Try to create the ssl_db without sudo . There seems to be a problem with the > permissions on that directory. Also change the group ownership of ssl_db to > "nobody". I hope that helps > > On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan <jason_sloan@xxxxxxxxx> > wrote: >> I'm setting up dynamic SSL cert generation on a Centos 6.3 (i686) >> platform but I can't seem to get ssl-crtd to believe it's initialized. >> Perhaps I'm missing something. Either way I could use another set of eyes > / ideas. >> >> I have compiled the latest stable release (3.2.5) and installed it. >> Packaged release was not compiled with --enable-ssl-crtd. >> >> When starting squid I get a message in cache.log from ssl-crtd that it >> believes the SSL Certificate database is uninitialized.. >> >> However I have executed the following: >> >> sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db >> Initialization SSL db... >> Done >> >> I can even execute ssl-crtd outside of squid and get a response.. >> >> sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB >> new_certificate 13 host=test.com OK 1531 -----BEGIN CERTIFICATE----- >> MIIBmDCC. -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- >> MIICdgIBADANBgkqhki. -----END PRIVATE KEY----- ^C >> >> I have even attemted to chmod -R 777 /var/squid/ssl_db with no success. >> >> 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for >> i686-pc-linux-gnu... >> 2013/01/09 12:49:37 kid1| Process ID 26793 >> 2013/01/09 12:49:37 kid1| Process Roles: worker >> 2013/01/09 12:49:37 kid1| With 16384 file descriptors available >> 2013/01/09 12:49:37 kid1| Initializing IP Cache... >> 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7 >> 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8 >> 2013/01/09 12:49:37 kid1| Adding domain gaming.local from >> /etc/resolv.conf >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from >> /etc/resolv.conf >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from >> /etc/resolv.conf >> 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' >> processes >> 2013/01/09 12:49:37 kid1| Logfile: opening log >> daemon:/var/log/squid/access.log >> 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log >> /var/log/squid/access.log >> (ssl_crtd): Uninitialized SSL certificate database directory: >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". >> (ssl_crtd): Uninitialized SSL certificate database directory: >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". >> (ssl_crtd): Uninitialized SSL certificate database directory: >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". >> (ssl_crtd): Uninitialized SSL certificate database directory: >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". >> (ssl_crtd): Uninitialized SSL certificate database directory: >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db". >> 2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite >> every >> 3600/3600 sec >> 2013/01/09 12:49:37 kid1| Store logging disabled >> 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 >> objects >> 2013/01/09 12:49:37 kid1| Target number of buckets: 1008 >> 2013/01/09 12:49:37 kid1| Using 8192 Store buckets >> 2013/01/09 12:49:37 kid1| Max Mem size: 262144 KB >> 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB >> 2013/01/09 12:49:37 kid1| Using Least Load store dir selection >> 2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid >> 2013/01/09 12:49:37 kid1| Loaded Icons. >> 2013/01/09 12:49:37 kid1| HTCP Disabled. >> 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0 >> 2013/01/09 12:49:37 kid1| Adaptation support is off. >> 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections >> at >> local=[::]:3128 remote=[::] FD 21 flags=9 >> 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited >> 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need >> 1/5) >> 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128 >> 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting... >> 2013/01/09 12:49:37 kid1| Finished. Wrote 0 entries. >> 2013/01/09 12:49:37 kid1| Took 0.00 seconds ( 0.00 entries/sec). >> FATAL: The ssl_crtd helpers are crashing too rapidly, need help! >> >> Squid Cache (Version 3.2.5): Terminated abnormally. >> CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size: >> 50304 KB Page faults with physical i/o: 0 Memory usage for squid via >> mallinfo(): >> total space in arena: 4784 KB >> Ordinary blocks: 4655 KB 8 blks >> Small blocks: 0 KB 0 blks >> Holding blocks: 7252 KB 6 blks >> Free Small blocks: 0 KB >> Free Ordinary blocks: 128 KB >> Total in use: 11907 KB 249% >> Total free: 128 KB 3% >> >> Full configure used in compile here: >> ./configure \ >> --exec_prefix=/usr \ >> --libexecdir=/usr/lib/squid \ >> --includedir=/usr/include \ >> --localstatedir=/var \ >> --datadir=/usr/share/squid \ >> --bindir=/usr/sbin \ >> --sysconfdir=/etc/squid \ >> --with-logdir='/var/log/squid' \ >> --with-pidfile='/var/run/squid.pid' \ >> --disable-dependency-tracking \ >> --enable-arp-acl \ >> --enable-follow-x-forwarded-for \ >> >> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-N >> TLM,SA >> SL,DB,POP3,squid_radius_auth" \ >> --enable-auth-digest="password,ldap,eDirectory" \ >> --enable-auth-ntlm="smb_lm,no_check,fakeauth" \ >> --enable-auth-negotiate \ >> >> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,w >> binfo_ >> group" \ >> --enable-cache-digests \ >> --enable-cachemgr-hostname=localhost \ >> --enable-delay-pools \ >> --enable-epoll \ >> --enable-icap-client \ >> --enable-ident-lookups \ >> --with-large-files \ >> --enable-linux-netfilter \ >> --enable-referer-log \ >> --enable-removal-policies="heap,lru" \ >> --enable-snmp \ >> --enable-ssl \ >> --enable-ssl-crtd \ >> --enable-storeio="aufs,diskd,ufs" \ >> --enable-useragent-log \ >> --enable-wccpv2 \ >> --enable-esi \ >> --with-aio \ >> --with-default-user="squid" \ >> --with-filedescriptors=16384 \ >> --with-dl \ >> --with-openssl \ >> --with-pthreads >> >> Relevant squid.conf settings: >> >> # Squid normally listens to port 3128 >> http_port 3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer >> key=/etc/squid/squid.key >> >> # Squid SSL Certificate Daemon Options sslcrtd_program >> /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB sslcrtd_children 5 >> >> Thanks in advance! >> >> > > > > -- > Regards, > -Ahmed Talha Khan > -- Regards, -Ahmed Talha Khan
