Hi! we had the same problem when we switched from openssl 1.1 to openssl 3 with certificates using the SHA1 algorithm for signature. The reason for this was in openssl 3 SHA1 is deprecated. Kind regards, Hannes Von: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> Gesendet: Dienstag, 11. Juli 2023 19:34 An: squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx> Betreff: [EXTERNAL] Re: 4.0.23 -> 5.9 : ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/xy.pem': error:0480006C:PEM routines::no start line On 7/10/23 14:50, Franta Hanzlík wrote: > After upgrading my Fedora 27/Squid-4.0.23 to Fedora 38/Squid-5.9, the > Squid refuses to start with the error message: > > ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/server.pem': error:0480006C:PEM routines::no start line I suspect the actual problem is different than "no start line". Due to a mismatch between OpenSSL error handling approach and Squid code, Squid often reports wrong/stale/irrelevant OpenSSL errors. Certificate loading code is especially prone to such mismatches! Refactoring OpenSSL error handling is an known to-do item. Several different things could go wrong while showing the above symptoms, and there are several ways to troubleshoot this, but I would start with the following simple test. Run the following (or similar) command on the same machine as Squid, using the same OS user as Squid ("nobody" in the example below), using the openssl tool from the same OpenSSL version as Squid was built with: sudo -u nobody \ openssl x509 -in /etc/pki/tls/private/server.pem -noout -subject You should see the certificate subject field. Any warnings or errors? If the above works fine, and the certificate file ownership/permissions look reasonable to you, then the next step could be to start Squid under "strace" or a similar tool to check whether some system call fails when OpenSSL is trying to load that certificate file. In most cases, you should be able to find the certificate filename in strace output and check for subsequent syscall errors (e.g., permission denied). We can help with that analysis, but be careful with posting private key contents. If you can, temporary replace that production certificate with some throw-away/temporary/example one. Beyond that, I would recommend patching Squid to report the last OpenSSL error instead of the first one (in this context). This will require you to rebuild your Squid from sources. Please let me know if you want to pursue that and I will provide a patch. HTH, Alex. > The problem is probably related to the reverse https proxy definition > line in squid.conf : > https_port 192.168.20.2:22225 accel cert=/etc/pki/tls/private/server.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe > server.pem is the symlink to realFile.pem with this content: > -----BEGIN RSA PRIVATE KEY----- > MIIEpQ... > ... > ...vo= > -----END RSA PRIVATE KEY----- > > -----BEGIN CERTIFICATE----- > MIIGO... > ... > ...c5s= > -----END CERTIFICATE----- > > and it worked fine in the older Squid-4.0.23 version. > > I tried: > - tls-cert= instead of cert= > - replacing the symlink server.pem with a real file. > - arrange certificate in PEM file as first and key second > - split PEM file into separate certificate and key and use it with syntax: > > https_port 192.168.20.2:22225 accel tls-cert=/etc/pki/tls/private/cert.pem tls-key=/etc/pki/tls/private/key.pem defaultsite=mail.kyenar.cz no-vhost name=reverzpe > > but squid still not start with this same message: > ERROR: Failed to acquire TLS certificate '/etc/pki/tls/private/cert.pem': error:0480006C:PEM routines::no start line > > Can anyone help? > --- > Thanks in advance! Franta Hanzlik > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users Get the 13 Email Threat Types eBook https://www.barracuda.com/ This e-mail and any attachments to it contain confidential and proprietary material of Barracuda, its affiliates or agents, and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. ________________________________ _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users