Search squid archive

Re: 3.5.6: need help: FATAL: No valid signing SSL certificate but openssl verify is OK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/07/2015 12:06 p.m., David Touzeau wrote:
> 
> Dear
> 
> My certificate and my own Root CA's that are already installed on all
> computers and need to use it in Squid.
> 
> using
> 
> The Certificate :
> --------------------------------------------------------------------------------------------------
> 
> openssl x509 -subject -issuer -enddate -noout -in certificate.pem
> subject= /C=FR/ST=Ile de France/L=Paris/O=My Company/OU=IT
> service/CN=proxyweb.domain.tld
> issuer= /CN=ACTISSIA-CA
> notAfter=Jul  8 12:32:53 2016 GMT
> 
> The Root CA
> --------------------------------------------------------------------------------------------------
> 
> openssl x509 -subject -issuer -enddate -noout -in /etc/squid3/Cafile.ca
> subject= /CN=ACTISSIA-CA
> issuer= /CN=ACTISSIA-CA
> notAfter=Apr 10 08:03:12 2019 GMT
> 
> 
> Verify certificate and Root's CA:
> --------------------------------------------------------------------------------------------------
> 
> /usr/bin/openssl verify -verbose -CAfile /etc/squid3/Cafile.ca
> /etc/squid3/certificate.pem
> certificate.pem: OK
> 
> 
> i have create the chain
> 
> cat /etc/squid3/Cafile.ca >/etc/squid3/chain.pem
> cat /etc/squid3/certificate.pem >>/etc/squid3/chain.pem
> 
> Added :
> http_port 0.0.0.0:3128  ssl-bump  generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/chain.pem
> 
> But i was unable to start squid with the error
> 
> 2015/07/27 00:57:43| Using certificate in /etc/squid3/ssl/calast.pem
> 2015/07/27 00:57:43| storeDirWriteCleanLogs: Starting...
> 2015/07/27 00:57:43|   Finished.  Wrote 0 entries.
> 2015/07/27 00:57:43|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for HTTP_port
> 0.0.0.0:3128
> Squid Cache (Version 3.5.6): Terminated abnormally.
> 

Firstly;

 Notice that what Squid is loading a file called calast.pem. Not the
chain.pem one your config snippet shows.


Secondly;

What happens in ssl-bump generate-host-certificates=on is that Squid
generates a *third* certificate tied specifically to the domain the
client asked for, and sends that to the client.

It needs to be signed by a CA the client trusts.

Does /etc/squid3/chain.pem contain the private key of a CA whose public
key is trusted by the client already?


*without* the generate-host-certificates Squid would just be loading the
certificate.pem part out of chain.pem and sending that to the client.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux