On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote: > No one CA do not issue signing CA for subject, which is not CA itself. > > So, op wants impossible thing. Why would one need a signING certificate just to create an SSL connection between the browser and Squid? Surely one merely needs a valid signED certificate, same as you would put on a web server to set up secure connections to it? OP is not intercepting secure traffic, nor making HTTP sites look to the browser like HTTPS ones. Antony. > 24.08.2016 18:15, Antony Stone пишет: > > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote: > >> Squid fails to start for me with: > >> FATAL: No valid signing SSL certificate configured for HTTPS_port > > [::]:8443 > > >> I have found that this is related to missing self signed certificate, > >> and since I do not want to use self signed certificate I am asking if I > >> can do anything about it. > >> I would like to avoid self signed certificates so my users would not > >> need to import and replace my own certs. > > > > Have you tried adding the option "generate-host-certificates=off" to your > > https_port line? > > > > I'm not an expert on this bit of Squid, but I'm just looking at > > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and > > noticing > > > anything to do with a "signing certificate" (which you do not have, > > and do not > > > want to use). > > > >> And here is my complete squid.conf: > >> > >> acl SSL_ports port 443 > >> acl Safe_ports port 80 # http > >> acl Safe_ports port 21 # ftp > >> acl Safe_ports port 443 # https > >> acl Safe_ports port 70 # gopher > >> acl Safe_ports port 210 # wais > >> acl Safe_ports port 1025-65535 # unregistered ports > >> acl Safe_ports port 280 # http-mgmt > >> acl Safe_ports port 488 # gss-http > >> acl Safe_ports port 591 # filemaker > >> acl Safe_ports port 777 # multiling http > >> acl Safe_ports port 901 # SWAT > >> acl CONNECT method CONNECT > >> http_access deny !Safe_ports > >> http_access deny CONNECT !SSL_ports > >> http_access allow localhost manager > >> http_access deny manager > >> http_access deny to_localhost > >> > >> auth_param basic program /usr/libexec/squid/basic_pam_auth > >> auth_param basic children 5 > >> auth_param basic realm Proxy Authentication Required > >> auth_param basic credentialsttl 2 hours > >> > >> acl authenticated proxy_auth REQUIRED > >> http_access allow authenticated > >> http_access deny all > >> > >> https_port 8443 \ > >> > >> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ > >> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ > >> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ > >> tls-dh=/etc/ssl/certs/dhparam.pem \ > >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ > >> cipher=HIGH > >> > >> cache_dir aufs /var/cache/squid 512 16 256 > >> coredump_dir /var/cache/squid > >> refresh_pattern ^ftp: 1440 20% 10080 > >> refresh_pattern ^gopher: 1440 0% 1440 > >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > >> refresh_pattern . 0 20% 4320 > > > > Antony. -- I think broken pencils are pointless. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users