Search squid archive

Cert authority invalid failures.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I’m curious as to why this is happening.

 

Proxy was implemented last week and since then I’ve been dealing with all the sites that don’t work. Not a problem, knew it was going to happen. I’d like to understand why the following is happening.

 

1.       User goes to https://www.whatever.com

2.       Browser, mostly chrome, gives the following error.   Connection not private. NET:ERR_CERT_AUTHORITY_INVALID 

3.       If you view the cert it shows the dynamic cert listed.

4.       Click the “Proceed to www.whatever.com (unsafe )

5.       Now I get a squid error.  Requested url could not be retrieved.  Access denied while trying to retrieve https:// some ip address/*

 

Thing is I don’t have an acl blocking that ip?   ( Small sub question here, is there a way to tell which acl blocks something? )

 

What I’ve had to do to get around this is add www.whatever.com to my broken_sites.acl.    Then add the ip to an allowed_ips.acl.

 

Then I http_access allow the ips list

 

And skip peeking at the broken site.

 

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"

ssl_bump peek !broken_sites

ssl_bump splice all

 

I’m trying to understand why this is breaking and if I’m doing the right thing in fixing it.

 

 

The second error I’m getting is:

 

The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*

Failed to establish a secure connection to 63.240.52.151

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

Same question.  From what I’ve read this means that I don’t have the correct root ca?  Is that correct?  If so is the fix to then go try to find the correct .crt and add it to the standard ca-cert store? ( I’m on debian so /usr/share/ca-certificates/Mozilla )

 

Again, is this correct as to what is going wrong and the correct fix?

 

Thank you

 

 

Bruce Markey | Network Security Analyst

STEINMAN COMMUNICATIONS

717.291.8758 (o) bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx

8 West King St | PO Box 1328, Lancaster, PA 17608-1328

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux