On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > Squid fails to start for me with: > FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443 > > I have found that this is related to missing self signed certificate, > and since I do not want to use self signed certificate I am asking if I > can do anything about it. > I would like to avoid self signed certificates so my users would not > need to import and replace my own certs. Have you tried adding the option "generate-host-certificates=off" to your https_port line? I'm not an expert on this bit of Squid, but I'm just looking at http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing anything to do with a "signing certificate" (which you do not have, and do not want to use). > And here is my complete squid.conf: > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 901 # SWAT > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access deny to_localhost > > auth_param basic program /usr/libexec/squid/basic_pam_auth > auth_param basic children 5 > auth_param basic realm Proxy Authentication Required > auth_param basic credentialsttl 2 hours > > acl authenticated proxy_auth REQUIRED > http_access allow authenticated > http_access deny all > > https_port 8443 \ > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ > clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ > tls-dh=/etc/ssl/certs/dhparam.pem \ > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ > cipher=HIGH > cache_dir aufs /var/cache/squid 512 16 256 > coredump_dir /var/cache/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 Antony. -- You can tell that the day just isn't going right when you find yourself using the telephone before the toilet. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
