Hello, I already tried adding root ca to the pem file int the cert= option. But it had no effect. the squid -k parse seems good point. I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt If I add the root ca, that one is reported to be added, but still ignoring the bump ca. Why is it ignoring my CA? The reported purposeof the certificate is: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No What am I doing wrong? Thanks Marek 2019-10-31 8:38 GMT+01:00, Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 31/10/19 9:49 am, Marek Greško wrote: >> Hello, >> >> Matus, I also found the document. It should be sending the chain, but >> is not. When I specify cafile option it responds I shoud use >> tls-cafile. But in either case it is not sending. >> >> Walter, if squid has such requirement, then it is unfinished. Every >> other proxy is able to run its CA as an intermediate and clients >> install only root CA. The proxy should be responsible to hold the >> chain. The url Matus sent is the correct way how to do it, but is is >> not working. At least not in 4.8 vesion. >> > > " > cafile= > File containing additional CA certificates to use > when verifying client certificates. > " > > Note that last line. Squid-4 is more strict about its configured inputs > being used for what they are documented as. > > The best place to put the chain is actually in the PEM file used in the > cert= parameter. It should contain as much of the chain as you want > Squid to send, starting with the proxies signing CA cert and going up > the chained intermediate CA certs towards the root CA. > > > Squid-4 will validate all certificates actually are a chain with correct > sequence, ignoring any which are incorrect or out of sequence. Running > "squid -k parse" will reports any errors loading the chain. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
