[squid-users] RE: Squid Accelerator and SSL

From: Kent, Mr. John (Contractor) <kent@dont-contact.us>
Date: Mon, 9 Feb 2004 15:21:40 -0800

Henrik and Brian,

As recommended, I created certificates and keys for my
Squid server using openssl

Created certificate:
>openssl genrsa -des3 -out webcache2.key 1024

Created CSR:
>openssl req -new -key webcache2.key -out webcache2.csr

Then Signed it:
>openssl x509 -req -days 3650 -in webcache2.csr -signkey webcache2.key -out webcache2.crt

Modified my squid.conf file by adding the following line
https_port 199.9.2.137:443 cert=/users/webuser/squid3.0/conf/ssl.crt/webcache2.crt key=/users/webuser/squid
3.0/conf/ssl.key/webcache2.key

When I go to start Squid get:
bash-2.05$ ./squid
2004/02/09 15:14:51| Failed to acquire SSL certificate '/users/webuser/squid3.0/conf/ssl.crt/webcache2.crt': error:02001002:system library:fopen:No such file or directory
FATAL: Bungled squid.conf line 135: https_port 199.9.2.137:443 cert=/users/webuser/squid3.0/conf/ssl.crt/webcache2.crt key=/users/webuser/squid3.0/conf/ssl.key/webcache2.key
Squid Cache (Version 3.0-PRE3): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.020 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 429
Aborted

Did a google search and found that Henrik had recommended to someone who reported the
same problem the following:

>If you use encrypted RSA keys then you must start Squid with the -N
option

So tried:
bash-2.05$ ./squid -N
2004/02/09 15:16:34| Failed to acquire SSL certificate '/users/webuser/squid3.0/conf/ssl.crt/webcache2.crt': error:02001002:system library:fopen:No such file or directory
FATAL: Bungled squid.conf line 135: https_port 199.9.2.137:443 cert=/users/webuser/squid3.0/conf/ssl.crt/webcache2.crt key=/users/webuser/squid3.0/conf/ssl.key/webcache2.key
Squid Cache (Version 3.0-PRE3): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.010 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 429
Aborted

And also

bash-2.05$ ./squid -v
Squid Cache: Version 3.0-PRE3
configure options: '--prefix=/users/webuser/squid3.0' '--enable-storeio=diskd,ufs' '--enable-ssl' '--with-openssl=/usr/lib'

I noticed that in the default squid.conf file it talks about
cert=certificate.pem [key=key.pem]

Does the fact that my keys and certificates end in .key cause the failure?

Thank you,
John Kent
Webmaster
Naval Research Laboratory
Monterey, CA

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Friday, February 06, 2004 7:32 PM
To: Kent, Mr. John (Contractor)
Cc: Squid_Users (E-mail)
Subject: RE: Squid Accelerator and SSL

On Fri, 6 Feb 2004, Kent, Mr. John (Contractor) wrote:

> The problem I now have is that the accelerator works perfectly and hides
> the fact that the client is connecting to an https server.

You should set up Squid as an https reverse proxy. See the https_port
directive.

Regards
Hernik
Received on Mon Feb 09 2004 - 16:21:42 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST