Search squid archive

Re: 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/10/23 14:50, Franta Hanzlík wrote:
After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the
Squid refuses to start with the error message:

ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line

I suspect the actual problem is different than "no start line". Due to a mismatch between OpenSSL error handling approach and Squid code, Squid often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading code is especially prone to such mismatches! Refactoring OpenSSL error handling is an known to-do item.

Several different things could go wrong while showing the above symptoms, and there are several ways to troubleshoot this, but I would start with the following simple test.

Run the following (or similar) command on the same machine as Squid, using the same OS user as Squid ("nobody" in the example below), using the openssl tool from the same OpenSSL version as Squid was built with:

    sudo -u nobody \
    openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject

You should see the certificate subject field. Any warnings or errors?

If the above works fine, and the certificate file ownership/permissions look reasonable to you, then the next step could be to start Squid under "strace" or a similar tool to check whether some system call fails when OpenSSL is trying to load that certificate file. In most cases, you should be able to find the certificate filename in strace output and check for subsequent syscall errors (e.g., permission denied). We can help with that analysis, but be careful with posting private key contents. If you can, temporary replace that production certificate with some throw-away/temporary/example one.

Beyond that, I would recommend patching Squid to report the last OpenSSL error instead of the first one (in this context). This will require you to rebuild your Squid from sources. Please let me know if you want to pursue that and I will provide a patch.


HTH,

Alex.

The problem is probably related to the reverse https proxy definition
line in squid.conf :
https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe

server.pem is the symlink to realFile.pem with this content:
-----BEGIN RSA PRIVATE KEY-----
MIIEpQ...
...
...vo=
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIGO...
...
...c5s=
-----END CERTIFICATE-----

and it worked fine in the older Squid-4.0.23 version.

I tried:
- tls-cert= instead of cert=
- replacing the symlink server.pem with a real file.
- arrange certificate in PEM file as first and key second
- split PEM file into separate certificate and key and use it with syntax:

https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe

but squid still not start with this same message:
ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line

Can anyone help?
---
Thanks in advance! Franta Hanzlik
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux