Search squid archive

Re: Unable to access a device over port 4434

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 16/10/24 09:39, Piana, Josh wrote:

Amos,

Thank you for getting back to me and clarifying.

I ran this command:
#wget -Y off 172.27.46.253

Response:
--2024-10-15 16:36:15--  http://172.27.46.253/
Connecting to 172.27.46.253:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://172.27.46.253/ [following]
--2024-10-15 16:36:15--  https://172.27.46.253/
Connecting to 172.27.46.253:443... connected.


The TCP here is fully working, on both ports.
The followup hang you mentioned was likely due to a mistake in your followup test (that extra '4' typo?). 



ERROR: The certificate of '172.27.46.253' is not trusted.
ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
The certificate's owner does not match hostname '172.27.46.253'



There you go. Two problems to resolve.

First Problem;  unknown "Issuer" (aka root or intermediate CA certificate).

Please use this to find out what details need to be retrieved:
  wget -v --no-proxy https://172.27.46.253/


Find the public CA certificate for the missing "Issuer".

Further tests with wget should use:
  wget -v --no-proxy \
    --ca-certificate=/path/to/server.ca https://172.27.46.253/
When wget test shows trust of the server certificate working, Squid should be configured to use it for checking too: 
   tsl_outgoing_options ca=/path/to/server.ca
or
  cache_peer 172.27.46.253 443 0 originserver tls-ca=/path/to/server.ca
Second Problem; mismatch between "172.27.46.253" and "Owner" (or maybe"SubjectAltName" fields).
The wget output when troubleshooting for the first problem should give more hints about what this means. 




So with the errors given, would that stop us from connecting to it? Typically with sites with trust issues or certification issues, you can still bypass it. We'd like to do the same here if applicable.


One could, but your wget command does not.
FYI, It is also a bad idea to bypass unless you really have to. Especially bad to bypass unknown amount of things when trying to identify reasons for failure. 


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux