Search squid archive

RE: ssl_crtd reporting certificate database as uninitialized

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So I found that the server comes up and stays up if I run:

sudo -u squid /usr/sbin/squid -f /etc/squid/squid.conf

or as root:

/usr/sbin/squid -f /etc/squid/squid.conf

# /usr/sbin/squid -f /etc/squid/squid.conf
# ps -ef | grep squid
root     30358     1  0 17:20 ?        00:00:00 /usr/sbin/squid -f
/etc/squid/squid.conf
squid    30360 30358  0 17:20 ?        00:00:00 (squid-1) -f
/etc/squid/squid.conf
squid    30361 30360  0 17:20 ?        00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -M 4MB -b 4096
squid    30362 30360  0 17:20 ?        00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -M 4MB -b 4096
squid    30363 30360  0 17:20 ?        00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -M 4MB -b 4096
squid    30364 30360  0 17:20 ?        00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -M 4MB -b 4096
squid    30365 30360  0 17:20 ?        00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -M 4MB -b 4096
squid    30366 30360  0 17:20 ?        00:00:00 (logfile-daemon)
/var/log/squid/access.log
root     30368 29619  0 17:20 pts/0    00:00:00 grep squid

So it appears the UID is not properly switching when running as root from
startup?

Contents of /etc/init.d/squid (no modifications made by me)
http://pastebin.com/UeehzMH6

squid.conf excerpt:
cache_effective_user squid
cache_effective_group squid

> -----Original Message-----
> From: Jason A. Sloan [mailto:jason_sloan@xxxxxxxxx]
> Sent: Thursday, January 10, 2013 8:29 AM
> To: 'Ahmed Talha Khan'
> Cc: 'squid-users@xxxxxxxxxxxxxxx'
> Subject: RE:  ssl_crtd reporting certificate database as
> uninitialized
> 
> # pwd
> /var
> # ll
> ...
> drwxr-xr-x.  3 squid squid 4096 Jan  9 21:29 squid ...
> # cd squid
> # ll
> drwxr-xr-x. 3 squid nobody 4096 Jan  9 21:29 ssl_db # cd ssl_db # ll
drwxr-xr-
> x. 2 squid nobody 4096 Jan  9 21:29 certs
> -rw-r--r--. 1 squid nobody    0 Jan  9 21:29 index.txt
> -rw-r--r--. 1 squid nobody    8 Jan  9 21:29 serial
> -rw-r--r--. 1 squid nobody    1 Jan  9 21:29 size
> 
> 
> > -----Original Message-----
> > From: Ahmed Talha Khan [mailto:auny87@xxxxxxxxx]
> > Sent: Thursday, January 10, 2013 4:26 AM
> > To: Jason A. Sloan
> > Cc: squid-users@xxxxxxxxxxxxxxx
> > Subject: Re:  ssl_crtd reporting certificate database as
> > uninitialized
> >
> > Are the parent directories of ssl_db writeable by the squid user?You
> > might want to look at that too
> >
> > On Thu, Jan 10, 2013 at 7:40 AM, Jason A. Sloan
> > <jason_sloan@xxxxxxxxx>
> > wrote:
> > > No joy.
> > >
> > > I initially ran the ssl_crtd command as root before using sudo to
> > > run it as the squid user. Regardless I tried that to no avail.
> > >
> > > As root:
> > >
> > > Deleted existing ssl_db implementation.
> > >
> > > /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization SSL
> > > db...
> > > Done
> > >
> > > chown -R squid:nobody ssl_db/
> > >
> > > Attempt to start died with same error message:
> > > (ssl_crtd): Uninitialized SSL certificate database directory:
> > > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > ...
> > > FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> > >
> > > -----Original Message-----
> > > From: Ahmed Talha Khan [mailto:auny87@xxxxxxxxx]
> > > Sent: Wednesday, January 09, 2013 1:56 PM
> > > To: Jason A. Sloan
> > > Cc: squid-users@xxxxxxxxxxxxxxx
> > > Subject: Re:  ssl_crtd reporting certificate database
> > > as uninitialized
> > >
> > > Try to create the ssl_db without sudo . There seems to be a problem
> > > with the permissions on that directory. Also change the group
> > > ownership of ssl_db to "nobody". I hope that helps
> > >
> > > On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan
> > > <jason_sloan@xxxxxxxxx>
> > > wrote:
> > >> I'm setting up dynamic SSL cert generation on a Centos 6.3 (i686)
> > >> platform but I can't seem to get ssl-crtd to believe it's
initialized.
> > >> Perhaps I'm missing something. Either way I could use another set
> > >> of eyes
> > > / ideas.
> > >>
> > >> I have compiled the latest stable release (3.2.5) and installed it.
> > >> Packaged release was not compiled with --enable-ssl-crtd.
> > >>
> > >> When starting squid I get a message in cache.log from ssl-crtd that
> > >> it believes the SSL Certificate database is uninitialized..
> > >>
> > >> However I have executed the following:
> > >>
> > >> sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db
> > >> Initialization SSL db...
> > >> Done
> > >>
> > >> I can even execute ssl-crtd outside of squid and get a response..
> > >>
> > >> sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> > >> new_certificate 13 host=test.com OK 1531 -----BEGIN
> > >> CERTIFICATE----- MIIBmDCC. -----END CERTIFICATE----- -----BEGIN
> > >> PRIVATE KEY----- MIICdgIBADANBgkqhki. -----END PRIVATE KEY----- ^C
> > >>
> > >> I have even attemted to chmod -R 777 /var/squid/ssl_db with no
> success.
> > >>
> > >> 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
> > >> i686-pc-linux-gnu...
> > >> 2013/01/09 12:49:37 kid1| Process ID 26793
> > >> 2013/01/09 12:49:37 kid1| Process Roles: worker
> > >> 2013/01/09 12:49:37 kid1| With 16384 file descriptors available
> > >> 2013/01/09 12:49:37 kid1| Initializing IP Cache...
> > >> 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
> > >> 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
> > >> 2013/01/09 12:49:37 kid1| Adding domain gaming.local from
> > >> /etc/resolv.conf
> > >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> > >> /etc/resolv.conf
> > >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> > >> /etc/resolv.conf
> > >> 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
> > >> processes
> > >> 2013/01/09 12:49:37 kid1| Logfile: opening log
> > >> daemon:/var/log/squid/access.log
> > >> 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
> > >> /var/log/squid/access.log
> > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > >> 2013/01/09 12:49:37 kid1| Local cache digest enabled;
> > >> rebuild/rewrite every
> > >> 3600/3600 sec
> > >> 2013/01/09 12:49:37 kid1| Store logging disabled
> > >> 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated
> > >> 20164 objects
> > >> 2013/01/09 12:49:37 kid1| Target number of buckets: 1008
> > >> 2013/01/09 12:49:37 kid1| Using 8192 Store buckets
> > >> 2013/01/09 12:49:37 kid1| Max Mem  size: 262144 KB
> > >> 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
> > >> 2013/01/09 12:49:37 kid1| Using Least Load store dir selection
> > >> 2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid
> > >> 2013/01/09 12:49:37 kid1| Loaded Icons.
> > >> 2013/01/09 12:49:37 kid1| HTCP Disabled.
> > >> 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
> > >> 2013/01/09 12:49:37 kid1| Adaptation support is off.
> > >> 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket
> > >> connections at
> > >> local=[::]:3128 remote=[::] FD 21 flags=9
> > >> 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
> > >> 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running
> > >> (need
> > >> 1/5)
> > >> 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
> > >> 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
> > >> 2013/01/09 12:49:37 kid1|   Finished.  Wrote 0 entries.
> > >> 2013/01/09 12:49:37 kid1|   Took 0.00 seconds (  0.00 entries/sec).
> > >> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> > >>
> > >> Squid Cache (Version 3.2.5): Terminated abnormally.
> > >> CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident
> > Size:
> > >> 50304 KB Page faults with physical i/o: 0 Memory usage for squid
> > >> via
> > >> mallinfo():
> > >>         total space in arena:    4784 KB
> > >>         Ordinary blocks:         4655 KB      8 blks
> > >>         Small blocks:               0 KB      0 blks
> > >>         Holding blocks:          7252 KB      6 blks
> > >>         Free Small blocks:          0 KB
> > >>         Free Ordinary blocks:     128 KB
> > >>         Total in use:           11907 KB 249%
> > >>         Total free:               128 KB 3%
> > >>
> > >> Full configure used in compile here:
> > >> ./configure \
> > >>    --exec_prefix=/usr \
> > >>    --libexecdir=/usr/lib/squid \
> > >>    --includedir=/usr/include \
> > >>    --localstatedir=/var \
> > >>    --datadir=/usr/share/squid \
> > >>    --bindir=/usr/sbin \
> > >>    --sysconfdir=/etc/squid \
> > >>    --with-logdir='/var/log/squid' \
> > >>    --with-pidfile='/var/run/squid.pid' \
> > >>    --disable-dependency-tracking \
> > >>    --enable-arp-acl \
> > >>    --enable-follow-x-forwarded-for \
> > >>
> > >> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-
> > domain-
> > >> N
> > >> TLM,SA
> > >> SL,DB,POP3,squid_radius_auth" \
> > >>    --enable-auth-digest="password,ldap,eDirectory" \
> > >>    --enable-auth-ntlm="smb_lm,no_check,fakeauth" \
> > >>    --enable-auth-negotiate \
> > >>
> > >> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_grou
> > >> p,
> > >> w
> > >> binfo_
> > >> group" \
> > >>    --enable-cache-digests \
> > >>    --enable-cachemgr-hostname=localhost \
> > >>    --enable-delay-pools \
> > >>    --enable-epoll \
> > >>    --enable-icap-client \
> > >>    --enable-ident-lookups \
> > >>    --with-large-files \
> > >>    --enable-linux-netfilter \
> > >>    --enable-referer-log \
> > >>    --enable-removal-policies="heap,lru" \
> > >>    --enable-snmp \
> > >>    --enable-ssl \
> > >>    --enable-ssl-crtd \
> > >>    --enable-storeio="aufs,diskd,ufs" \
> > >>    --enable-useragent-log \
> > >>    --enable-wccpv2 \
> > >>    --enable-esi \
> > >>    --with-aio \
> > >>    --with-default-user="squid" \
> > >>    --with-filedescriptors=16384 \
> > >>    --with-dl \
> > >>    --with-openssl \
> > >>    --with-pthreads
> > >>
> > >> Relevant squid.conf settings:
> > >>
> > >> # Squid normally listens to port 3128 http_port 3128 ssl-bump
> > >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > >> cert=/etc/squid/squid.cer key=/etc/squid/squid.key
> > >>
> > >> # Squid SSL Certificate Daemon Options sslcrtd_program
> > >> /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> > >> sslcrtd_children
> > >> 5
> > >>
> > >> Thanks in advance!
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > Regards,
> > > -Ahmed Talha Khan
> > >
> >
> >
> >
> > --
> > Regards,
> > -Ahmed Talha Khan



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux