Hello Robert, I had the same error with Firefox only, for me the solution was to patch gadgets.cc as indicated here https://github.com/ra-at-diladele-com/qlproxy_external/wiki/Filtering-HTTPS Raf. On 3/29/14 12:53 PM, "Robert Becskei" <robert.becskei@xxxxxxxxx> wrote: >Hello everyone, > > These are the steps I did to install this server (inside vmware >workstation): > >Ifconfig eth0 192.168.186.250 >Ifconfig eth0:0 192.168.201.250 >Ip_forward enabled > >1. Install centos 6 > >2. Upgrade centos 6 (yum upgrade) > >3. Disable SeLinux ( I don¹t like it) > >4. Reboot > >5. Enable epel repo > >cd /home >wget >http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm >rpm Uvh epel-release-6.8.noarch.rpm > >6. Enable Squid repo >cd /etc/yum.repos.d >vi SQUID.repo >[squid] >name=Squid repo for CentOS 6 >baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686 >failovermethod=priority >enabled=1 >gpgcheck=0 > >7. Yum update >yum install perl-Crypt-OpenSSL-X509 >yum install squid > >8. /usr/lib/squid/ssl_crtd c s /var/lib/ssl_db > >9. Create certificates for SQUID like this >cd /etc/pki/CA >cp /etc/pki/tls/openssl.cnf openssl.cnf >then I¹ve edited the openssl.conf like this >dir = . # Where everything is kept >certificate = $dir/certs/ca.crt # The CA certificate >private_key = $dir/private/ca.key # The private key > >+ filed in default values for company, site, domain , e-mail address. > > > 10. Created key's like this : >openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout >private/ca.key -out certs/ca.crt -days 3650 >openssl req -config openssl.cnf -new -nodes -keyout private/home.key -out >home.csr -days 3650 >openssl ca -config openssl.cnf -policy policy_anything -out certs/home.crt >-infiles home.csr > >11. Copied the files to SQUID folder > >/etc/squid/ssl_cert/ca.crt >/etc/squid/ssl_cert/home.crt >/etc/squid/ssl_cert/private/home.key >Cd /etc/squid/ssl_cert/private/ >Cp home.key home.back >Openssl rsa -in home.bak -out home.key > >12. SQUID config >acl localnet src 192.168.201.0/24 > >acl SSL_ports port 443 >acl Safe_ports port 80 # http >acl Safe_ports port 21 # ftp >acl Safe_ports port 443 # https >acl Safe_ports port 70 # gopher >acl Safe_ports port 210 # wais >acl Safe_ports port 1025-65535 # unregistered ports >acl Safe_ports port 280 # http-mgmt >acl Safe_ports port 488 # gss-http >acl Safe_ports port 591 # filemaker >acl Safe_ports port 777 # multiling http >acl CONNECT method CONNECT > >http_access deny !Safe_ports >http_access deny CONNECT !SSL_ports > >http_access allow all > >http_port 3130 > >http_port 3128 intercept >https_port 3129 intercept ssl-bump generate-host-certificates=on >dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt >key=/etc/squid/ssl_cert/private/home.key > >#always_direct allow all >ssl_bump server-first all >#sslproxy_cert_error allow all >#sslproxy_flags DONT_VERIFY_PEER > >sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >sslcrtd_children 5 > >coredump_dir /var/spool/squid > ># Add any of your own refresh_pattern entries above these. >refresh_pattern ^ftp: 1440 20% 10080 >refresh_pattern ^gopher: 1440 0% 1440 >refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >refresh_pattern . 0 20% 4320 > > >shutdown_lifetime 1 second > >#debug_options ALL,2 > > >13. DNS server on this machine (so that proxy.home.lan resolves...) >/etc/named.conf >// >// named.conf >// >// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS >// server as a caching only nameserver (as a localhost DNS resolver only). >// >// See /usr/share/doc/bind*/sample/ for example named configuration files. >// > >acl mynet { > 192.168.201.0/24; # test network > 127.0.0.1; # localhost > }; > >options { > listen-on { > mynet; > }; > listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > allow-query { mynet; }; > recursion yes; > > forward only; > forwarders { > 8.8.8.8; > }; > > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > > /* Path to ISC DLV key */ > bindkeys-file "/etc/named.iscdlv.key"; > > managed-keys-directory "/var/named/dynamic"; >}; > >logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; >}; > >zone "." IN { > type hint; > file "named.ca"; >}; > >include "/etc/named.rfc1912.zones"; >include "/etc/named.root.key"; > >############################################# ># home.lan >############################################# > >zone "home.lan" IN { > type master; > file "/var/named/home.lan/db.home"; > allow-query { > mynet; > }; > }; > >/var/named/home.lan/db.home >$ORIGIN home.lan. >$TTL 86400 >@ IN SOA proxy.home.lan. proxy.home.lan. ( > 2014032801 ; Serial > 28800 ; Refresh > 7200 ; Retry > 604800 ; Expire > 86400 ; Negative Cache TTL > ) >@ IN NS proxy.home.lan. >proxy IN A 192.168.186.250 > > >14. Install NTP on this server to sync time properly > >15. Configure Windows XP client (fully updated ) to use 192.168.201.250 as >default gateway and as DNS >16. Ping proxy.home.lan it resolves, ping www.google.com it resolves >17. www.google.com I get a warning that the certificate is not trusted >(but >only with firefox) do I want to install, I can check certificate >It is correctly issued by proxy.home.lan for www.google.com . >18. Install ca.crt into clients root trusted certificates >19. behold error (and be very frustrated) : Peer's certificate has an >invalid signature > >I tried to re-do my steps, I tried multiple howto's (some were outdated) >I've tried the irc for squid, but no help. What did I overlook here? >Why is this not working ? > >Oh iptables on server is > >iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j >DNAT >--to 192.168.201.250:3128 >iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 443 -j >DNAT >--to 192.168.201.250:3129 > >There is no error in log file , I have checked certificates are generated >for the sites I visit in /var/lib/ssl_db >For example www.grc.com get's a generated certificate even though I am not >able to access it. >Only firefox was friendly enough to provide this error above, Internet >explorer does not display anything at all, regardless if certificate >Is installed on client or not. (guess they went 100% sure this time with >certificates to disallow by default) > >Thank you for reading this, and please help if you can. > >Greetings >Robert > > > > > > > > > >
