On 6/23/21 7:56 AM, Majed Zouhairy wrote: > when visiting > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > on squid 4.15 > > it displays: > > > ERROR > The requested URL could not be retrieved > > The following error was encountered while trying to retrieve the URL: > https://wiki.squid-cache.org/* > > Failed to establish a secure connection to 104.130.201.120 > > The system returned: > > (71) Protocol error (TLS code: > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=Let's Encrypt/CN=R3 Your Squid was not able to validate the certificate used by the Squid Project wiki site. I am not sure, but perhaps your OpenSSL installation on the Squid box is missing fresh Let's Encrypt intermediate certificates? IIRC, there were similar complaints recently. Try searching the mailing list archives if you have not already. Alex. P.S. Squid tries to fetch missing intermediate certificates, but that is not always possible, and Squid v4 supports fewer environments where it is possible to fetch them (than more recent Squid versions). > configuration: > > http_port 3128 ssl-bump cert=/etc/squid/certs/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=8MB > > > > acl tls_s1_connect at_step SslBump1 > acl tls_s2_client_hello at_step SslBump2 > acl tls_s3_server_hello at_step SslBump3 > > # define acls for sites that must not be actively bumped > > acl tls_allowed_hsts ssl::server_name .akamaihd.net > acl tls_allowed_hsts ssl::server_name .proxy.skko.by > #acl tls_server_is_bank ssl::server_name .abnamro.nl > #acl tls_server_is_bank ssl::server_name .abnamro.comacl > tls_server_is_bank ssl::server_name > "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice" > acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank > > # TLS/SSL bumping steps > > ssl_bump peek tls_s1_connect # peek at TLS/SSL connect data > ssl_bump splice tls_to_splice # splice some: no active bump > ssl_bump stare all # stare(peek) at server > # properties of > the webserver > ssl_bump bump # bump if we can (if the stare succeeded) > > > > #ssl_bump peek all > #ssl_bump splice all > > ##ssl_bump server-first all > > #sslproxy_cert_error allow all > > > > cache_dir ufs /var/cache/squid 8000 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /var/cache/squid > > cache_mem 960 MB > > netdb_filename none > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode > sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" > url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l > /var/log/squid/ > url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64 > #debug_options ALL,1 33,2 28,9 > > what needs to be done to fix? > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users