08.09.2017 3:14, L A Walsh пишет: > Got an error message from squid where I'm doing https-bumping: > > -------------------------- > The following error was encountered while trying to retrieve the URL: > https://help.ea.com/ > > *Failed to establish a secure connection to 52.0.220.87* > > The system returned: > > (71) Protocol error (TLS code: > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec > Class 3 Secure Server CA - G4 > > This proxy and the remote host failed to negotiate a mutually > acceptable security settings for handling your request. It is possible > that the remote host does not support secure connections, or the proxy > is not satisfied with the host security credentials. > > -------------------------------- > > Googling found: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html > > > Used openssl.com to get the intermediate certs (2 hosts are referenced > in parallel chains). The two certs looked like: > > -----BEGIN CERTIFICATE----- > ...hexstuff== > -----END CERTIFICATE----- > > > Added the certs to a file and that filename to my squid.conf on a line: > > sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem > > restarted squid, but am still getting same error. > > Am I missing some obvious step? Yup :) # TAG: sslproxy_foreign_intermediate_certs # Many origin servers fail to send their full server certificate # chain for verification, assuming the client already has or can # easily locate any missing intermediate certificates. # # Squid uses the certificates from the specified file to fill in # these missing chains when trying to validate origin server # certificate chains. # # The file is expected to contain zero or more PEM-encoded # intermediate certificates. These certificates are not treated # as trusted root certificates, and any self-signed certificate in # this file will be ignored. #Default: # none > > Looking for a clue... ;-) https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?highlight=%28Ssl%29%7C%28Bump%29%7C%28explicit%29#Missing_intermediate_certificates > > Thanks! > -l > > > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
