I've got squid 3.4.12 on centos 7, running with ssl bumping.
options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/ -M 4MB -b 4096
After a while ssl stops working.
How can I make squid or ssl_crtd actually log errors?
Any hints as to what I can investigate to figure out what is happening here?
Details:
After a little while, the clients start doing this:
[root@web-t01 ~]# curl
https://www.googleapis.com/analytics/v2.4/management/accounts/~all/webproperties/~all/profiles
curl: (35) SSL connect error
for urls that have not been accessed successfully since recreation of certs.
And this for sites which HAVE been accessed successfully (after
recreation - and before it breaks itself):
[root@web-t01 ~]# curl https://kbenhavns-kommune.clients.ubivox.com/xmlrpc/
curl: (51) SSL: certificate subject name 'squid CA' does not match
target host name 'kbenhavns-kommune.clients.ubivox.com'
if I then recreate my certs folder for ssl_crtd cache folder (on squid
server)- both work again:
[root@web-t01 ~]# curl https://kbenhavns-kommune.clients.ubivox.com/xmlrpc/
[root@web-t01 ~]# curl
https://www.googleapis.com/analytics/v2.4/management/accounts/~all/webproperties/~all/profiles
<?xml version="1.0" encoding="UTF-8"?><errors
xmlns="http://schemas.google.com/g/2005";><error><domain>GData</domain><code>required</code><location
type="header">Authorization</location>
there's no errors in squid logs.
If I try to run ssl_crtd to issue cert:
# /usr/lib64/squid/ssl_crtd -s /etc/ssl/certs/cache/ -M 4MB -b 4096
new_certificate 13 host=www.googleapis.com
/usr/lib64/squid/ssl_crtd: Error while parsing the crtd request: Broken
signing certificate!
even though squid works.. so I seem to be testing wrongly..
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
