On 15/10/2015 9:51 a.m., Ian Silvester wrote: > Hi all, > > I'm following the instructions on this page > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > to set up Squid as an end-point for HTTPS communications, and am hitting > an error when attempting to create and initialize an SSL certificates > cache directory. > > Having taken care to ensure that my chosen directory exists > (/usr/local/var/cache/squid/ssl_db) and has the same ownership as the > user which I'm using to execute ssl_crtd, I execute the following > command from within squid's libexec directory: > > ./ssl_crtd -c -s /usr/local/var/cache/squid/ssl_db > > This gives the following output: > > Initialization SSL db... > ./ssl_crtd: Cannot create /usr/local/var/cache/squid/ssl_db > > > All the mailing list searching I've done suggests that this is a > permissions issue, but the folder is owned by me, has permissions 755, > and I'm running ssl_crtd. > > For what it's worth, I'm running v3.5.7 on OS X (via Homebrew) which was > built with --enable-ssl --enable-ssl-crtd --disable-eui --enable-ssl does not exist in Squid-3.5. Use --with-openssl instead. Please also try to get the very latest 3.5 release when dealing with ssl-bump, the features are quite volatile still. Currently that is 3.5.10 for stable production use or 4.0.1 (beta) if it works for your needs. > > Can anyone suggest what my issue might be? Does ssl_crtd internally run > as an alternate user? I don't appear to have any user accounts dedicated > to Squid. That does not matter until after the DB has been created. In order to make sure the DB is useable by the Squid initiated helpers. You should be able to run the above creation command with any account having ownership of the directory - but not use the resulting DB with Squid. Sadly that helper has quiet bad debugging output still. So you won't get much better output from newer Squid releases, just better behaviour. The following is how to determin your squid low-privilege account name: * Run "squid -k parse 2>&1 | grep cache_effective_user" to see if squid.conf has been configured to override the built-in account with something specific to your install, * if nothing is found; Run "squid -v" to see if the --with-default-user build option has been set to any particular account name, * Otherwise; the default is account "nobody". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
