On 05/21/2018 10:59 PM, Ahmad, Sarfaraz wrote: > Websites where certificates just share AIA information using CA-issuer > method, those work just fine. > > > > But try this one, https://community.verizonwireless.com/welcome (this > gets bumped in my setup) > > Here the AIA information Is provided using both OCSP/CAissuer methods. > > From Squid’s access logs, I can tell that the certificate gets downloaded. > > > > 1526964147.929 160 - TCP_MISS/200 1868 GET > http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46 > application/x-x509-ca-cert > > > > But squid still reports*:* > > *(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > *SSL Certficate error: certificate issuer (CA) not known: > /C=NL/L=Amsterdam/O=Verizon Enterprise > Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2 > > * * > > That is the only intermediate certificate needed in the chain. Here: > https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest > > > > When I download the intermediate certificate locally and try connecting > to the remote server using openssl –Cafile option, Openssl reports OK (0). > > > > openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile > vpssg142.crt –servername community.verizon.com > >>> Verify return code: 0 (ok) Nice triage! I do not know what went wrong, unfortunately. If you do not find a solution on the mailing list, I recommend posting a bug report. If possible, attach compressed partial cache.log (with debug_options set to ALL,9) collected while reproducing the above problem without any other transactions. This log might speed up resolution by exposing the problem without the need to reproduce it locally. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
