Hi, Raf. Just checking on two my servers - works like charm without any movings :) I'm already have good intermediate CA's bundle :) 08.09.2017 3:42, Rafael Akchurin пишет: > Hello LA, Yuri, > > The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented: > > --- > Symantec Class 3 Secure Server CA - G4 > Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17 > Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY= > RSA 2048 bits (e 65537) / SHA256withRSA > --- > > Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site. > > Our UI generates exactly the same config setting as you have tried: > sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem > > So it must be working :) > > Best regards, > Rafael Akchurin > Diladele B.V. > > > > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of L A Walsh > Sent: Thursday, September 7, 2017 11:15 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong? > > Got an error message from squid where I'm doing https-bumping: > > -------------------------- > The following error was encountered while trying to retrieve the URL: > https://help.ea.com/ > > *Failed to establish a secure connection to 52.0.220.87* > > The system returned: > > (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec > Class 3 Secure Server CA - G4 > > This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. > > -------------------------------- > > Googling found: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html > > Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains). The two certs looked like: > > -----BEGIN CERTIFICATE----- > ...hexstuff== > -----END CERTIFICATE----- > > > Added the certs to a file and that filename to my squid.conf on a line: > > sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem > > restarted squid, but am still getting same error. > > Am I missing some obvious step? > > Looking for a clue... ;-) > > Thanks! > -l > > > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users