Re: [squid-users] reverse proxy with SSL offloader issue

From: Mario Remy Almeida <malmeida_at_isaaviation.ae>
Date: Wed, 03 Jun 2009 08:54:52 +0400

Hi Amos,

I don't know how to check the chain of trust

I concatenated the csr and the certficate but how to do so i don't know
can you please tell me?

=========== squid.conf ================
https_port 10.200.22.49:443 accel \
cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \
key=/etc/squid/keys/newpvtkey.pem defaultsite=mail.airarabia.ae

cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
front-end-https=on name=owaServer sslflags=DONT_VERIFY_PEER

//Remy

On Wed, 2009-06-03 at 12:51 +1200, Amos Jeffries wrote:
> On Tue, 02 Jun 2009 16:56:08 +0400, Mario Remy Almeida
> <malmeida_at_isaaviation.ae> wrote:
> > Hi All,
> >
> > I downloaded SSL Certificate from verisign and exported pvt key from
> > windows 2003 server
> >
> > in squid.conf I have this
> >
> > https_port 10.200.22.49:443 accel \
> > cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \
> > key=/etc/squid/keys/pvtkey.pem defaultsite=mail.airarabia.ae
> >
> > when access https://mail.airarabia.ae
> > browser gives error
> >
> > Secure Connection Failed
> > mail.airarabia.ae uses an invalid security certificate.
> >
> > The certificate is not trusted because the issuer certificate is
> > unknown.
> >
> > (Error code: sec_error_unknown_issuer)
> > * This could be a problem with the server's configuration, or it
> > could be someone trying to impersonate the server.
> >
> > * If you have connected to this server successfully in the past, the
> > error may be temporary, and you can try again later.
> >
> > and in cache.log I get this
> >
> > clientNegotiateSSL: Error negotiating SSL connection on FD 23:
> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> >
> >
> > What could be the problem please help
> >
>
> SSL chain of trust is broken on one of the SSL links.
>
> Two things to try:
> 1) adding sslflags=DONT_VERIFY_PEER - If that works its the cache_peer
> link broken. If still fails then its the https_port certificate.
>
> Next look at the certificate itself, see if it contains the whole chain of
> trust (concatenated certificate + signing authority cert).
> I'm a bit hazy about whether the https_port needs the signing authority in
> it or not when the certs are of the unlinked chain type (I forget what the
> right name is even). But I think cache_peer needs the full chain to be in
> the cert.
>
> Amos
>

------------------------------------------------------------------------------
Disclaimer and Confidentiality

This material has been checked for computer viruses and although none has
been found, we cannot guarantee that it is completely free from such problems
and do not accept any liability for loss or damage which may be caused.
Please therefore check any attachments for viruses before using them on your
own equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. The views
expressed in this message are those of the individual sender, and may not
necessarily be that of ISA.
Received on Wed Jun 03 2009 - 04:54:45 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 03 2009 - 12:00:02 MDT