RE: [squid-users] ssl_crtd reporting certificate database as uninitialized

No joy.

I initially ran the ssl_crtd command as root before using sudo to run it as
the squid user. Regardless I tried that to no avail.

As root:

Deleted existing ssl_db implementation.

/usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db
Initialization SSL db...
Done

chown -R squid:nobody ssl_db/

Attempt to start died with same error message:
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
...
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

-----Original Message-----
From: Ahmed Talha Khan [mailto:auny87_at_gmail.com]
Sent: Wednesday, January 09, 2013 1:56 PM
To: Jason A. Sloan
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] ssl_crtd reporting certificate database as
uninitialized

Try to create the ssl_db without sudo . There seems to be a problem with the
permissions on that directory. Also change the group ownership of ssl_db to
"nobody". I hope that helps

On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan <jason_sloan_at_oh.rr.com>
wrote:
> I'm setting up dynamic SSL cert generation on a Centos 6.3 (i686)
> platform but I can't seem to get ssl-crtd to believe it's initialized.
> Perhaps I'm missing something. Either way I could use another set of eyes
/ ideas.
>
> I have compiled the latest stable release (3.2.5) and installed it.
> Packaged release was not compiled with --enable-ssl-crtd.
>
> When starting squid I get a message in cache.log from ssl-crtd that it
> believes the SSL Certificate database is uninitialized..
>
> However I have executed the following:
>
> sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db
> Initialization SSL db...
> Done
>
> I can even execute ssl-crtd outside of squid and get a response..
>
> sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> new_certificate 13 host=test.com OK 1531 -----BEGIN CERTIFICATE-----
> MIIBmDCC. -----END CERTIFICATE----- -----BEGIN PRIVATE KEY-----
> MIICdgIBADANBgkqhki. -----END PRIVATE KEY----- ^C
>
> I have even attemted to chmod -R 777 /var/squid/ssl_db with no success.
>
> 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
> i686-pc-linux-gnu...
> 2013/01/09 12:49:37 kid1| Process ID 26793
> 2013/01/09 12:49:37 kid1| Process Roles: worker
> 2013/01/09 12:49:37 kid1| With 16384 file descriptors available
> 2013/01/09 12:49:37 kid1| Initializing IP Cache...
> 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
> 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
> 2013/01/09 12:49:37 kid1| Adding domain gaming.local from
> /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> /etc/resolv.conf
> 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
> processes
> 2013/01/09 12:49:37 kid1| Logfile: opening log
> daemon:/var/log/squid/access.log
> 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
> /var/log/squid/access.log
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
> 2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite
> every
> 3600/3600 sec
> 2013/01/09 12:49:37 kid1| Store logging disabled
> 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
> objects
> 2013/01/09 12:49:37 kid1| Target number of buckets: 1008
> 2013/01/09 12:49:37 kid1| Using 8192 Store buckets
> 2013/01/09 12:49:37 kid1| Max Mem size: 262144 KB
> 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
> 2013/01/09 12:49:37 kid1| Using Least Load store dir selection
> 2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid
> 2013/01/09 12:49:37 kid1| Loaded Icons.
> 2013/01/09 12:49:37 kid1| HTCP Disabled.
> 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
> 2013/01/09 12:49:37 kid1| Adaptation support is off.
> 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections
> at
> local=[::]:3128 remote=[::] FD 21 flags=9
> 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
> 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need
> 1/5)
> 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
> 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
> 2013/01/09 12:49:37 kid1| Finished. Wrote 0 entries.
> 2013/01/09 12:49:37 kid1| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.2.5): Terminated abnormally.
> CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size:
> 50304 KB Page faults with physical i/o: 0 Memory usage for squid via
> mallinfo():
> total space in arena: 4784 KB
> Ordinary blocks: 4655 KB 8 blks
> Small blocks: 0 KB 0 blks
> Holding blocks: 7252 KB 6 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 128 KB
> Total in use: 11907 KB 249%
> Total free: 128 KB 3%
>
> Full configure used in compile here:
> ./configure \
> --exec_prefix=/usr \
> --libexecdir=/usr/lib/squid \
> --includedir=/usr/include \
> --localstatedir=/var \
> --datadir=/usr/share/squid \
> --bindir=/usr/sbin \
> --sysconfdir=/etc/squid \
> --with-logdir='/var/log/squid' \
> --with-pidfile='/var/run/squid.pid' \
> --disable-dependency-tracking \
> --enable-arp-acl \
> --enable-follow-x-forwarded-for \
>
> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-N
> TLM,SA
> SL,DB,POP3,squid_radius_auth" \
> --enable-auth-digest="password,ldap,eDirectory" \
> --enable-auth-ntlm="smb_lm,no_check,fakeauth" \
> --enable-auth-negotiate \
>
> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,w
> binfo_
> group" \
> --enable-cache-digests \
> --enable-cachemgr-hostname=localhost \
> --enable-delay-pools \
> --enable-epoll \
> --enable-icap-client \
> --enable-ident-lookups \
> --with-large-files \
> --enable-linux-netfilter \
> --enable-referer-log \
> --enable-removal-policies="heap,lru" \
> --enable-snmp \
> --enable-ssl \
> --enable-ssl-crtd \
> --enable-storeio="aufs,diskd,ufs" \
> --enable-useragent-log \
> --enable-wccpv2 \
> --enable-esi \
> --with-aio \
> --with-default-user="squid" \
> --with-filedescriptors=16384 \
> --with-dl \
> --with-openssl \
> --with-pthreads
>
> Relevant squid.conf settings:
>
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer
> key=/etc/squid/squid.key
>
> # Squid SSL Certificate Daemon Options sslcrtd_program
> /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB sslcrtd_children 5
>
> Thanks in advance!
>
>

--
Regards,
-Ahmed Talha Khan