Re: [squid-users] problems with ssl_crtd

On 24/09/12 12:52, Amos Jeffries wrote:
> On 24/09/2012 8:44 p.m., Linos wrote:
>> On 20/09/12 12:58, Ahmed Talha Khan wrote:
>>> Hey Guy, All
>>>
>>> I have started facing a very similar issue now.I have been using
>>> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
>>> Suddenly from yesterday ive started getting crahses in ssl_crtd
>>> process.
>>>
>>>
>>> In my case i am the only user but i observe that the behaviour is
>>> random. Sometimes it crashes and sometimes it works. Different https
>>> pages give the crash. Even non https pages have caused the crash.
>>>
>>> These occur especially on google https pages like docs,mail,calender etc..
>>>
>>> The signing cert is also ok and has NOT expired.
>>>
>>>
>>> My squid conf looks like this:
>>> *******************************************************
>>> sslproxy_cert_error allow all
>>>
>>> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
>>> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
>>> sslcrtd_children 5
>>>
>>> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>>
>>> http_port 192.168.8.134:8080
>>>
>>> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/home/asif/squid/www.sample.com.pem
>>> key=/home/asif/squid/www.sample.com.pem
>>> *******************************************************
>>>
>>> The ssl_db directory is initialized properly with correct permissions.
>>>
>>> ***********************************************************
>>> [talha_at_localhost lib]$ pwd
>>> /usr/local/squid-3.3/var/lib
>>>
>>> [talha_at_localhost lib]$ ls -al
>>> total 24
>>> drwxrwxrwx 3 root root 4096 Sep 20 15:31 .
>>> drwxrwxrwx 6 root root 4096 Sep 20 15:05 ..
>>> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>>>
>>> The size file also has some values in it and cert generation also
>>> seems to work but suddenly it all crashes .
>>> **************************************************************
>>>
>>>
>>>
>>> 2012/09/20 14:57:45| Starting Squid Cache version
>>> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
>>> 2012/09/20 14:57:45| Process ID 23826
>>> 2012/09/20 14:57:45| Process Roles: master worker
>>> 2012/09/20 14:57:45| With 1024 file descriptors available
>>> 2012/09/20 14:57:45| Initializing IP Cache...
>>> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
>>> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
>>> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
>>> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
>>> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
>>> 2012/09/20 14:57:45| Logfile: opening log
>>> daemon:/usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile Daemon: opening log
>>> /usr/local/squid-3.3/var/logs/access.log
>>> 2012/09/20 14:57:45| Logfile: opening log /usr/local/squid-3.3/var/logs/icap-log
>>> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
>>> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>>>
>>>
>>> 2012/09/20 14:57:45| Store logging disabled
>>> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>>> 2012/09/20 14:57:45| Target number of buckets: 1008
>>> 2012/09/20 14:57:45| Using 8192 Store buckets
>>> 2012/09/20 14:57:45| Max Mem size: 262144 KB
>>> 2012/09/20 14:57:45| Max Swap size: 0 KB
>>> 2012/09/20 14:57:45| Using Least Load store dir selection
>>> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
>>> 2012/09/20 14:57:45| Loaded Icons.
>>> 2012/09/20 14:57:45| HTCP Disabled.
>>> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
>>> Permission denied
>>> 2012/09/20 14:57:45| WARNING: Could not write pid file
>>> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
>>> 2012/09/20 14:57:45| Adaptation support is on
>>> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
>>> local=192.168.8.134:3128 remote=[::] FD 20 flags=9
>>> 2012/09/20 14:57:45| Accepting HTTP Socket connections at
>>> local=192.168.8.134:8080 remote=[::] FD 21 flags=9
>>> 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at
>>> local=192.168.8.134:3129 remote=[::] FD 22 flags=9
>>> 2012/09/20 14:57:46| storeLateRelease: released 0 objects
>>>
>>> (ssl_crtd): Cannot create ssl certificate or private key.
>>> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
>>> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>>>
>>> 2012/09/20 14:58:23| Starting new helpers
>>> 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes
>>> 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply:
>>> "ssl_crtd" helper return <NULL> reply
>>> (ssl_crtd): Cannot create ssl certificate or private key.
>>>
>>> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
>>> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>>> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
>>> 2012/09/20 14:58:23| Finished. Wrote 0 entries.
>>> 2012/09/20 14:58:23| Took 0.00 seconds ( 0.00 entries/sec).
>>> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>>>
>>> Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally.
>>> CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys
>>> Maximum Resident Size: 71104 KB
>>> Page faults with physical i/o: 0
>>> Memory usage for squid via mallinfo():
>>> total space in arena: 11924 KB
>>> Ordinary blocks: 11818 KB 49 blks
>>> Small blocks: 0 KB 0 blks
>>> Holding blocks: 664 KB 2 blks
>>> Free Small blocks: 0 KB
>>> Free Ordinary blocks: 105 KB
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Sep 20, 2012 at 2:52 PM, Linos wrote:
>>>> On 19/09/12 16:46, Guy Helmer wrote:
>>>>>> Thanks for reply.
>>>>>>
>>>>>> i checked the squid_ssl_db/size because i found the empty file problem
>>>>>> searching
>>>>>> for my own problem in the mailing list, it's ok in my host, the file have the
>>>>>> content "139264" right now.
>>>>>>
>>>>>> I can't found the core file, do i need to do something for it to generate?
>>>>>> maybe
>>>>>> a configure script option or squid.conf change to activate it?
>>>>>>
>>>>>> Regards,
>>>>>> Miguel Angel.
>>>>> I have
>>>>>
>>>>> coredump_dir /var/log/squid
>>>>>
>>>>> to get coredumps in my /var/log/squid directory. Now that I think about it,
>>>>> I don't remember if this works for ssl_crtd though -- seems like I have had
>>>>> to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes,
>>>>> then generate HTTPS traffic to trigger the request to ssl_crtd and get a
>>>>> backtrace when ssl_crtd gets the segfault signal…
>>>>>
>>>>> Guy
>>>>>
>>>> Hi,
>>>> i have been trying to debug with gdb attaching existing process, the
>>>> strange
>>>> it's that ssl_ctrd seems to exit normally in this test, here you have it (sorry
>>>> for the spanish locale, i will use english next time, the only file with
>>>> symbols
>>>> it's ssl_crtd itself):
>>>>
>>>> --------------------------------------------------------------------------------
>>>>
>>>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>>>> Copyright (C) 2012 Free Software Foundation, Inc.
>>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>>> This is free software: you are free to change and redistribute it.
>>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>>>> and "show warranty" for details.
>>>> This GDB was configured as "x86_64-linux-gnu".
>>>> Para las instrucciones de informe de errores, vea:
>>>> <http://bugs.launchpad.net/gdb-linaro/>.
>>>> (gdb) attach 10495
>>>> Adjuntando a process 10495
>>>> Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde
>>>> /usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho.
>>>> hecho.
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>>>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron
>>>> símbolos
>>>> de depuración)hecho.
>>>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>>>> 0x00007f3ef414f0a0 in read () from /lib/x86_64-linux-gnu/libc.so.6
>>>> (gdb) continue
>>>> Continuando.
>>>> [Inferior 1 (process 10495) exited normally]
>>>> (gdb) bt
>>>> No stack.
>>>>
>>>> --------------------------------------------------------------------------------
>>>>
>>>>
>>>> I have tried attaching to squid3 process itself and i have received a signal
>>>> here:
>>>>
>>>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>>>> Copyright (C) 2012 Free Software Foundation, Inc.
>>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>>> This is free software: you are free to change and redistribute it.
>>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>>>> and "show warranty" for details.
>>>> This GDB was configured as "x86_64-linux-gnu".
>>>> Para las instrucciones de informe de errores, vea:
>>>> <http://bugs.launchpad.net/gdb-linaro/>.
>>>> (gdb) attach 10732
>>>> Adjuntando a process 10732
>>>> Leyendo símbolos desde /usr/sbin/squid3...coLeyendo símbolos desde
>>>> /usr/lib/debug/usr/sbin/squid3...ntinue
>>>> hecho.
>>>> hecho.
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libpthread.so.0...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> [Depuración de hilo usando libthread_db enabled]
>>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libpthread.so.0
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libxml2.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libxml2.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libexpat.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libexpat.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libssl.so.0.9.8...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5.so.3...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5.so.3
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcom_err.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcom_err.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcap.so.2...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcap.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/librt.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/librt.so.1
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libltdl.so.7...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libltdl.so.7
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>>>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron
>>>> símbolos
>>>> de depuración)hecho.
>>>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libk5crypto.so.3...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
>>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5support.so.0...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libkeyutils.so.1...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libkeyutils.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libresolv.so.2...(no se
>>>> encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libresolv.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_files.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_files.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_compat.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_compat.so.2
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnsl.so.1...(no se encontraron
>>>> símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnsl.so.1
>>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_nis.so.2...(no se
>>>> encontraron símbolos de depuración)hecho.
>>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_nis.so.2
>>>> 0x00007f7d6243dac8 in poll () from /lib/x86_64-linux-gnu/libc.so.6
>>>> (gdb) continue
>>>> Continuando.
>>>>
>>>> Program received signal SIGPIPE, Broken pipe.
>>>> 0x00007f7d647becb0 in __write_nocancel () from
>>>> /lib/x86_64-linux-gnu/libpthread.so.0
>>>> (gdb) bt
>>>> #0 0x00007f7d647becb0 in __write_nocancel () from
>>>> /lib/x86_64-linux-gnu/libpthread.so.0
>>>> #1 0x00007f7d63d075c5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>>> #2 0x00007f7d63d05247 in BIO_write () from
>>>> /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>>> #3 0x00007f7d63ffafc4 in ssl3_write_pending () from
>>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>>> #4 0x00007f7d63ffc853 in ssl3_dispatch_alert () from
>>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>>> #5 0x00007f7d63ff9442 in ssl3_shutdown () from
>>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>>> #6 0x00007f7d64e8f0f4 in AsyncCall::make (this=0x7f7d687eb390) at
>>>> AsyncCall.cc:36
>>>> #7 0x00007f7d64e92117 in AsyncCallQueue::fireNext (this=<optimized out>) at
>>>> AsyncCallQueue.cc:54
>>>> #8 0x00007f7d64e92270 in AsyncCallQueue::fire (this=0x7f7d66f5f2c0) at
>>>> AsyncCallQueue.cc:40
>>>> #9 0x00007f7d64d7c494 in EventLoop::runOnce (this=0x7fff630b3e60) at
>>>> EventLoop.cc:131
>>>> #10 0x00007f7d64d7c568 in EventLoop::run (this=0x7fff630b3e60) at
>>>> EventLoop.cc:95
>>>> #11 0x00007f7d64ddc039 in SquidMain (argc=<optimized out>, argv=<optimized
>>>> out>)
>>>> at main.cc:1500
>>>> #12 0x00007f7d64d10b76 in SquidMainSafe (argv=<optimized out>, argc=<optimized
>>>> out>) at main.cc:1215
>>>> #13 main (argc=<optimized out>, argv=<optimized out>) at main.cc:1207
>>>>
>>>> Any ideas what's going on with this information? Thansk!
>>>>
>>>> Regards,
>>>> Miguel Angel.
>>>
>>>
>> Hi Ahmed,
>> did you found a way to fix or workaround this? i can't get a backtrace
>> with the
>> information needed and no matter what i try it keeps failing, i had to disable
>> ssl and my users are a bit upset.
>>
>> Regards,
>> Miguel Angel.
>
> I've taken a quick look at these reports and tried to figure out if anything
> obvious is going on.
>
> From what I can see, there is really no reason why the helper should be exiting
> like this. Something it is doing produces an exception, fine, but the method of
> handling that exception is to exit instead of reporting the problem to Squid and
> continuing with further requests.
>
> As a workaround you can probably patch out the FATAL and let Squid continuously
> restart the helpers unless that spams the logs too much for your liking.
>
> Amos
>

Anything that works it is, at this time, much better option than what i have now
so i am going to try it, thanks!

Miguel Angel.
Received on Mon Sep 24 2012 - 11:19:54 MDT