On 5/20/20 12:20 PM, sjmeyer wrote: > I have a squid configured as a reverse proxy on RHEL 7.8 > > the certificates on the squid box seem okay the squid -k parse passes, > however when I attempt to access the back-end server via squid I get > > Error negotiating SSL connection on FD 13: error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown (1/0) AFAICT, your client (e.g., a browser) probably does not trust Squid's certificate (i.e., /etc/squid/tls/devi_public.pem). Should it? What does the client say? > It'd my understanding to resolve the SSL error I need to add the CA of the > backend sever to the RHEL trust store If my understanding about the scope of the error is correct, then the backend server is irrelevant. The error is between the TLS/HTTPS client and Squid, not Squid and cache_peer. Squid has not yet contacted the cache_peer at the time of this error. HTH, Alex. > - I have done that, copied the ca to > /etc/pki/ca-trust/source/anchors/ > ran update-ca-trust extract, > confirmed the CA is in the file > /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt > > however no change. I have seen references to the ssl_crtd project however > from the examples I've seen that isn't required. is this my issue? > > Contents of my squid.conf file are below, would appreciate > # reverse proxy site > # > acl localnet src 10.0.0.0/8 > # - debug options > # 0 client database > # 1 start up and main loop > # 2 Unlink Daemon > # 3 configuration file parsing > # 4 error generation > # 5 socket functions > # 11 HTTP > # 23 URL parsing > debug_options All,1 9 > > > acl SSL_ports port 5443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 8902 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl Safe_ports port 5443 > acl Safe_ports port 1025-65535 > acl CONNECT method CONNECT > > > http_port 3128 transparent > > http_access allow Safe_ports > #http_access deny !Safe_ports > > http_access allow localnet > > > > > https_port 5443 accel defaultsite=10.234.48.183 > cert=/etc/squid/tls/devi_public.pem key=/etc/squid/tls/devi_private.key > cafile=/etc/squid/tls/devi_ca.crt vhost > > > sslproxy_options NO_SSLv2:NO_SSLv3:NO_TLSv1:NO_TLSv1_1 > > > > > cache_peer 10.234.49.188 parent 5443 0 no-query originserver ssl > sslflags=DONT_VERIFY_PEER connection-auth=off name=dev-api > > acl BrokenButTrustedServers dstdomain 10.234.49.188 devi.mlms.cms.gov > #sslproxy_cert_error allow BrokenButTrustedServers > sslproxy_cert_error allow all > #sslproxy_cert_error deny all > sslproxy_flags DONT_VERIFY_PEER > > #ssl_bump splice #localhost > # configure backend > > acl our_sites dstdomain dev.app.lb.local 10.234.49.188 > http_access allow our_sites > cache_peer_access dev-int allow our_sites > cache_peer_access dev-api allow our_sites > > > > -- > Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
