Hi Sridhar, I don’t see the following in your config file : sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 50 always_direct allow all /var/lib/ssl_db should be owned by squid. This is where the generated certificates will be stored. This folder is created by using the command : ssl_crtd -c -s /var/lib/ssl_db Regards, Shinoj. > -----Original Message----- > From: Sridhar N [mailto:sridhar.narasimhan@xxxxxxxx] > Sent: Thursday, December 05, 2013 10:56 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Using trusted fake CA cert for ssl-bump on http_port > > Hi, > > I'm trying to get the ssl-bump & dynamic cert generation working for > CONNECT requests. However, I get SSL cert warnings for each site. I tried to > configure the "fake CA" cert itself (which is imported as trusted authority in > the browser), but I'm getting "No valid signing SSL certificate configured for > http_port" error. > > I know I'm doing something wrong here (more likely related to certs), but > would deeply appreciate your assistance. > > a) Output of squid -v: > Squid Cache: Version 3.3.10 > configure options: '--prefix=/usr/local' '--enable-inline' '--enable-async-io=8' > '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '-- > enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '-- > enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-basic-auth- > helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_ra > dius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '-- > enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth- > helpers=squid_kerb_auth' '--enable-external-acl- > helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable- > arp-acl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with- > filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '-- > enable-ssl' '--enable-esi' '--enable-ssl-crtd' > > SSL & ssl-crtd are enabled. The build is the recompile of the latest stable and > running on Ubuntu 13.04 > > b) This is my squid.conf > root@ubuntu:~# less /usr/local/etc/squid.conf | egrep -v '^#' | egrep -v '^$' > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet > src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports > port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access allow all > http_port 4128 ssl-bump generate-host- > certificates=on cert=/etc/ssl/demoCA/CA/cacert.pem > key=/etc/ssl/demoCA/CA/cacert.key ssl_bump server-first all coredump_dir > /usr/local/var/cache/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > c) This is the output of squid -k parse: > 2013/12/05 10:46:32| Startup: Initializing Authentication Schemes ... > 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'basic' > 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'digest' > 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'negotiate' > 2013/12/05 10:46:32| Startup: Initialized Authentication Scheme 'ntlm' > 2013/12/05 10:46:32| Startup: Initialized Authentication. > 2013/12/05 10:46:32| Processing Configuration File: /usr/local/etc/squid.conf > (depth 0) > 2013/12/05 10:46:32| Processing: acl localnet src 10.0.0.0/8 # RFC1918 > possible internal network > 2013/12/05 10:46:32| Processing: acl localnet src 172.16.0.0/12 # RFC1918 > possible internal network > 2013/12/05 10:46:32| Processing: acl localnet src 192.168.0.0/16 # RFC1918 > possible internal network > 2013/12/05 10:46:32| Processing: acl localnet src fc00::/7 # RFC 4193 local > private network range > 2013/12/05 10:46:32| Processing: acl localnet src fe80::/10 # RFC 4291 link- > local (directly plugged) machines > 2013/12/05 10:46:32| Processing: acl SSL_ports port 443 > 2013/12/05 10:46:32| Processing: acl Safe_ports port 80 # http > 2013/12/05 10:46:32| Processing: acl Safe_ports port 21 # ftp > 2013/12/05 10:46:32| Processing: acl Safe_ports port 443 # > https > 2013/12/05 10:46:32| Processing: acl Safe_ports port 70 # > gopher > 2013/12/05 10:46:32| Processing: acl Safe_ports port 210 # wais > 2013/12/05 10:46:32| Processing: acl Safe_ports port 1025-65535 # > unregistered ports > 2013/12/05 10:46:32| Processing: acl Safe_ports port 280 # > http-mgmt > 2013/12/05 10:46:32| Processing: acl Safe_ports port 488 # gss- > http > 2013/12/05 10:46:32| Processing: acl Safe_ports port 591 # > filemaker > 2013/12/05 10:46:32| Processing: acl Safe_ports port 777 # > multiling http > 2013/12/05 10:46:32| Processing: acl CONNECT method CONNECT > 2013/12/05 10:46:32| Processing: http_access deny !Safe_ports > 2013/12/05 10:46:32| Processing: http_access deny CONNECT !SSL_ports > 2013/12/05 10:46:32| Processing: http_access allow localhost manager > 2013/12/05 10:46:32| Processing: http_access deny manager > 2013/12/05 10:46:32| Processing: http_access allow localnet > 2013/12/05 10:46:32| Processing: http_access allow localhost > 2013/12/05 10:46:32| Processing: http_access allow all > 2013/12/05 10:46:32| Processing: http_port 4128 ssl-bump generate-host- > certificates=on cert=/etc/ssl/demoCA/CA/cacert.pem > key=/etc/ssl/demoCA/CA/cacert.key > 2013/12/05 10:46:32| Processing: ssl_bump server-first all > 2013/12/05 10:46:32| Processing: coredump_dir /usr/local/var/cache/squid > 2013/12/05 10:46:32| Processing: refresh_pattern ^ftp: 1440 > 20% 10080 > 2013/12/05 10:46:32| Processing: refresh_pattern ^gopher: 1440 0% > 1440 > 2013/12/05 10:46:32| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% > 0 > 2013/12/05 10:46:32| Processing: refresh_pattern . 0 20% > 4320 > 2013/12/05 10:46:32| Initializing https proxy context > 2013/12/05 10:46:32| Initializing http_port [::]:4128 SSL context > 2013/12/05 10:46:32| Using certificate in /etc/ssl/demoCA/CA/cacert.pem > 2013/12/05 10:46:32| storeDirWriteCleanLogs: Starting... > 2013/12/05 10:46:32| Finished. Wrote 0 entries. > 2013/12/05 10:46:32| Took 0.00 seconds ( 0.00 entries/sec). > FATAL: No valid signing SSL certificate configured for http_port [::]:4128 Squid > Cache (Version 3.3.10): Terminated abnormally. > CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: > 25808 KB Page faults with physical i/o: 0 > > d) If I change the certificate to an certificate signed by this CA, then it works > (the common Name in the certificate is replaced) but i've to add exception > for each site. > > Thanks, > Sridhar
