On 1/16/19 10:30 PM, Dmitry Melekhov wrote: > 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) > In access log: > 1547702300.945 0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html > 1547702301.304 84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html Your Squid (or some helper) appears to be adding an "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL, resulting in a 404 response from that server. That suffix is not present in the lkk-udm.esplus.ru certificate AFAICT: > $ openssl x509 -in cert.pem -noout -text | fgrep http: > URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl > CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt > OCSP - URI:http://ocsp.comodoca.com Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
