On 1/13/21 4:33 PM, Greg Hulands wrote: > I am setting up squid 5.0.3 and during testing I have found some > websites fail to have their certificates generated correctly. I am > able to go to sites like YouTube.com and have the certificates for > that be generated correctly, but when I try to go to some others, > like arstechnica.com, they fail to generate and return the CA cert > that squid is using to sign certificates with. Just to double check: Are you sure that the certificate the client gets is the configured CA certificate? For example, do the two certificates have the same fingerprint? > I turned the logging up on certificate stuff to 5 and have the cache log > from trying to make a request > here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb The posted snippet shows successful TLS negotiation with the origin server (FD 23) and a subsequently failed negotiation with the client (FD 21). The latter may have failed because the client did not like the certificate generated by Squid, but I did not check the exact failure reason carefully. The snippet has no information about Squid sending the (generated) certificates to the client, but Squid appears to receive some generated certificate from the helper (crtGenRq3180846). * If you are sure that the client gets a wrong certificate from Squid, then I recommend posting an ALL,9 log of the problematic transaction. With some luck, we may be able to see what went wrong with certificate generation (or virgin certificate validation??). * Otherwise, I recommend double checking what certificate the client gets. If the client gets the correct generated certificate, then the problem is not in certificate validation or generation. Posting the certificate that the client actually gets may help a lot with the triage as well. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users