On 27/07/2015 12:06 p.m., David Touzeau wrote: > > Dear > > My certificate and my own Root CA's that are already installed on all > computers and need to use it in Squid. > > using > > The Certificate : > -------------------------------------------------------------------------------------------------- > > openssl x509 -subject -issuer -enddate -noout -in certificate.pem > subject= /C=FR/ST=Ile de France/L=Paris/O=My Company/OU=IT > service/CN=proxyweb.domain.tld > issuer= /CN=ACTISSIA-CA > notAfter=Jul 8 12:32:53 2016 GMT > > The Root CA > -------------------------------------------------------------------------------------------------- > > openssl x509 -subject -issuer -enddate -noout -in /etc/squid3/Cafile.ca > subject= /CN=ACTISSIA-CA > issuer= /CN=ACTISSIA-CA > notAfter=Apr 10 08:03:12 2019 GMT > > > Verify certificate and Root's CA: > -------------------------------------------------------------------------------------------------- > > /usr/bin/openssl verify -verbose -CAfile /etc/squid3/Cafile.ca > /etc/squid3/certificate.pem > certificate.pem: OK > > > i have create the chain > > cat /etc/squid3/Cafile.ca >/etc/squid3/chain.pem > cat /etc/squid3/certificate.pem >>/etc/squid3/chain.pem > > Added : > http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/chain.pem > > But i was unable to start squid with the error > > 2015/07/27 00:57:43| Using certificate in /etc/squid3/ssl/calast.pem > 2015/07/27 00:57:43| storeDirWriteCleanLogs: Starting... > 2015/07/27 00:57:43| Finished. Wrote 0 entries. > 2015/07/27 00:57:43| Took 0.00 seconds ( 0.00 entries/sec). > FATAL: No valid signing SSL certificate configured for HTTP_port > 0.0.0.0:3128 > Squid Cache (Version 3.5.6): Terminated abnormally. > Firstly; Notice that what Squid is loading a file called calast.pem. Not the chain.pem one your config snippet shows. Secondly; What happens in ssl-bump generate-host-certificates=on is that Squid generates a *third* certificate tied specifically to the domain the client asked for, and sends that to the client. It needs to be signed by a CA the client trusts. Does /etc/squid3/chain.pem contain the private key of a CA whose public key is trusted by the client already? *without* the generate-host-certificates Squid would just be loading the certificate.pem part out of chain.pem and sending that to the client. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
