-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No one CA do not issue signing CA for subject, which is not CA itself. So, op wants impossible thing. 24.08.2016 18:15, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > >> Squid fails to start for me with: >> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443 >> >> I have found that this is related to missing self signed certificate, >> and since I do not want to use self signed certificate I am asking if I >> can do anything about it. >> I would like to avoid self signed certificates so my users would not >> need to import and replace my own certs. > > Have you tried adding the option "generate-host-certificates=off" to your > https_port line? > > I'm not an expert on this bit of Squid, but I'm just looking at > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing > anything to do with a "signing certificate" (which you do not have, and do not > want to use). > >> And here is my complete squid.conf: >> >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl Safe_ports port 901 # SWAT >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access deny to_localhost >> >> auth_param basic program /usr/libexec/squid/basic_pam_auth >> auth_param basic children 5 >> auth_param basic realm Proxy Authentication Required >> auth_param basic credentialsttl 2 hours >> >> acl authenticated proxy_auth REQUIRED >> http_access allow authenticated >> http_access deny all >> >> https_port 8443 \ >> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ >> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ >> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ >> tls-dh=/etc/ssl/certs/dhparam.pem \ >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ >> cipher=HIGH >> cache_dir aufs /var/cache/squid 512 16 256 >> coredump_dir /var/cache/squid >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 > > Antony. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXvZCjAAoJENNXIZxhPexG5scH/3BeBhhmHmi9HjNt/gEVaM3U xx1VqyOm3a+1gsfRJFpwag3NCvCoqfy0+XR/QV0OLaRVrmbBSp6YgIEDZsD7JLhZ ZauSTvv/KPeMU0obAqI1ax3/w7MzlsjburDt47LDnxaBoXULooiThRYy4w8Uzwi9 bHiHPzQ7OBvPuu2z+4WrojhrexGjBQflZ7I1ACuze0ZNyL0zZi+zitQ/K11NUsyA wXgS0R3t8k5pY/9ZhLvHFc9Zgj6FRaEY9sQ0z4TLlL+vq9t/ceT9xbWooFyL3GAU 2D1aNTpB5d7ejhfiSBagUw1DgHvjeC0uH33Ox0JLfKdfxYQikU/dkWWHnrv/qKc= =7Z61 -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
