On 3/02/2017 1:43 a.m., angelv wrote: > On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote: >>> So we can't even use the free certs from letsencrypt with Squid?? >>> >> >> Not for MITM / SSL-Bump no. >> >> The very first clause of the purchase contract for the LetsEncrypt CA is: >> >> " >> By requesting, accepting, or using a Let’s Encrypt Certificate: >> >> * You warrant to ISRG and the public-at-large that You are the >> legitimate registrant of the Internet domain name that is, or is going >> to be, the subject of Your Certificate, or that You are the duly >> authorized agent of such registrant. >> " >> >> Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only. >> >> If you have just used LetsEncrypt certs because of the hype about being >> cheap, easy and everyone else is saying its good. I think it well worth >> your time going to their site and reading that contract to which you >> have bound your network. >> >> For networks outside North America there are some legal implications >> about signing judicial authority and your users method of legal redress >> over to the USA government. >> > > I have certificates for my sub-domain > > for example: > > Proxy.subdomain.domain.com > > I have the following files issued by Letsencrypt: > > ca.cer > proxy.subdomain.domain.com.conf proxy.subdomain.domain.com.ssl.conf > fullchain.cer proxy.subdomain.domain.com.csr > proxy.subdomain.domain.com.cer proxy.subdomain.domain.com.key > > Can you use it? > How do I make them usable for the proxy? > https_port 3128 \ cert=/path/to/proxy.subdomain.domain.com.cer \ key=/path/to/proxy.subdomain.domain.com.key \ cafile=/path/to/fullchain.cer That is all. No SSL-Bump or other config. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
