Does the certificate match the key? Is there a passphrase for the key? If yes, please remove the passphrase. Are you able to get it working with generate-host-certificates=off ? Regards, Shinoj. > -----Original Message----- > From: Sridhar N [mailto:sridhar.narasimhan@xxxxxxxx] > Sent: Monday, December 09, 2013 6:20 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: RE: Using trusted fake CA cert for ssl-bump on > http_port > > ---------------------------------------- > > From: sgangadharan@xxxxxxxxxxxx > > Date: Mon, 9 Dec 2013 11:55:42 +0530 > > > > Hi Sridhar, > > > > I don’t see the following in your config file : > > > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > > sslcrtd_children 50 > > > > always_direct allow all > > > > > > /var/lib/ssl_db should be owned by squid. This is where the generated > > certificates will be stored. This folder is created by using the command : > > > > ssl_crtd -c -s /var/lib/ssl_db > > > > Thanks. I added those lines, still getting the same problem though. > > What else might be going on ? > > root@ubuntu:~# squid -k parse > 2013/12/09 18:17:57| Startup: Initializing Authentication Schemes ... > 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'basic' > 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'digest' > 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'negotiate' > 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'ntlm' > 2013/12/09 18:17:57| Startup: Initialized Authentication. > 2013/12/09 18:17:57| Processing Configuration File: /usr/local/etc/squid.conf > (depth 0) > 2013/12/09 18:17:57| Processing: acl localnet src 10.0.0.0/8 # RFC1918 > possible internal network > 2013/12/09 18:17:57| Processing: acl localnet src 172.16.0.0/12 # RFC1918 > possible internal network > 2013/12/09 18:17:57| Processing: acl localnet src 192.168.0.0/16 # RFC1918 > possible internal network > 2013/12/09 18:17:57| Processing: acl localnet src fc00::/7 # RFC 4193 local > private network range > 2013/12/09 18:17:57| Processing: acl localnet src fe80::/10 # RFC 4291 link- > local (directly plugged) machines > 2013/12/09 18:17:57| Processing: acl SSL_ports port 443 > 2013/12/09 18:17:57| Processing: acl Safe_ports port 80 # http > 2013/12/09 18:17:57| Processing: acl Safe_ports port 21 # ftp > 2013/12/09 18:17:57| Processing: acl Safe_ports port 443 # > https > 2013/12/09 18:17:57| Processing: acl Safe_ports port 70 # > gopher > 2013/12/09 18:17:57| Processing: acl Safe_ports port 210 # wais > 2013/12/09 18:17:57| Processing: acl Safe_ports port 1025-65535 # > unregistered ports > 2013/12/09 18:17:57| Processing: acl Safe_ports port 280 # > http-mgmt > 2013/12/09 18:17:57| Processing: acl Safe_ports port 488 # gss- > http > 2013/12/09 18:17:57| Processing: acl Safe_ports port 591 # > filemaker > 2013/12/09 18:17:57| Processing: acl Safe_ports port 777 # > multiling http > 2013/12/09 18:17:57| Processing: acl CONNECT method CONNECT > 2013/12/09 18:17:57| Processing: http_access deny !Safe_ports > 2013/12/09 18:17:57| Processing: http_access allow localhost manager > 2013/12/09 18:17:57| Processing: http_access deny manager > 2013/12/09 18:17:57| Processing: http_access allow localnet > 2013/12/09 18:17:57| Processing: http_access allow localhost > 2013/12/09 18:17:57| Processing: http_access allow all > 2013/12/09 18:17:57| Processing: http_port 4128 ssl-bump generate-host- > certificates=on cert=/etc/ssl/demoCA/CA/cacert.pem > key=/etc/ssl/demoCA/CA/cacert.key > 2013/12/09 18:17:57| Processing: ssl_bump server-first all > 2013/12/09 18:17:57| Processing: sslcrtd_program /usr/local/libexec/ssl_crtd > -s /usr/local/var/lib/ssl_db > 2013/12/09 18:17:57| Processing: sslcrtd_children 5 > 2013/12/09 18:17:57| Processing: always_direct allow all > 2013/12/09 18:17:57| Processing: coredump_dir /usr/local/var/cache/squid > 2013/12/09 18:17:57| Processing: refresh_pattern ^ftp: 1440 > 20% 10080 > 2013/12/09 18:17:57| Processing: refresh_pattern ^gopher: 1440 0% > 1440 > 2013/12/09 18:17:57| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% > 0 > 2013/12/09 18:17:57| Processing: refresh_pattern . 0 20% > 4320 > 2013/12/09 18:17:57| Initializing https proxy context > 2013/12/09 18:17:57| Initializing http_port [::]:4128 SSL context > 2013/12/09 18:17:57| Using certificate in /etc/ssl/demoCA/CA/cacert.pem > 2013/12/09 18:17:57| storeDirWriteCleanLogs: Starting... > 2013/12/09 18:17:57| Finished. Wrote 0 entries. > 2013/12/09 18:17:57| Took 0.00 seconds ( 0.00 entries/sec). > FATAL: No valid signing SSL certificate configured for http_port [::]:4128 Squid > Cache (Version 3.3.10): Terminated abnormally. > CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size: > 25808 KB > Page faults with physical i/o: 0
