Hello LA, Yuri, The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented: --- Symantec Class 3 Secure Server CA - G4 Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17 Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY= RSA 2048 bits (e 65537) / SHA256withRSA --- Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site. Our UI generates exactly the same config setting as you have tried: sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem So it must be working :) Best regards, Rafael Akchurin Diladele B.V. -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of L A Walsh Sent: Thursday, September 7, 2017 11:15 PM To: squid-users@xxxxxxxxxxxxxxx Subject: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong? Got an error message from squid where I'm doing https-bumping: -------------------------- The following error was encountered while trying to retrieve the URL: https://help.ea.com/ *Failed to establish a secure connection to 52.0.220.87* The system returned: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. -------------------------------- Googling found: http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains). The two certs looked like: -----BEGIN CERTIFICATE----- ...hexstuff== -----END CERTIFICATE----- Added the certs to a file and that filename to my squid.conf on a line: sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem restarted squid, but am still getting same error. Am I missing some obvious step? Looking for a clue... ;-) Thanks! -l _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
