RE: [squid-users] Using trusted fake CA cert for ssl-bump on http_port

Does the certificate match the key? Is there a passphrase for the key? If
yes, please remove the passphrase. Are you able to get it working with
generate-host-certificates=off ?

Regards,
Shinoj.

> -----Original Message-----
> From: Sridhar N [mailto:sridhar.narasimhan_at_live.com]
> Sent: Monday, December 09, 2013 6:20 PM
> To: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Using trusted fake CA cert for ssl-bump on
> http_port
>
> ----------------------------------------
> > From: sgangadharan_at_wavecrest.gi
> > Date: Mon, 9 Dec 2013 11:55:42 +0530
> >
> > Hi Sridhar,
> >
> > I don’t see the following in your config file :
> >
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> > sslcrtd_children 50
> >
> > always_direct allow all
> >
> >
> > /var/lib/ssl_db should be owned by squid. This is where the generated
> > certificates will be stored. This folder is created by using the
command :
> >
> > ssl_crtd -c -s /var/lib/ssl_db
> >
>
> Thanks. I added those lines, still getting the same problem though.
>
> What else might be going on ?
>
> root_at_ubuntu:~# squid -k parse
> 2013/12/09 18:17:57| Startup: Initializing Authentication Schemes ...
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'basic'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'digest'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme
'negotiate'
> 2013/12/09 18:17:57| Startup: Initialized Authentication Scheme 'ntlm'
> 2013/12/09 18:17:57| Startup: Initialized Authentication.
> 2013/12/09 18:17:57| Processing Configuration File:
/usr/local/etc/squid.conf
> (depth 0)
> 2013/12/09 18:17:57| Processing: acl localnet src 10.0.0.0/8 # RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src 172.16.0.0/12 #
RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src 192.168.0.0/16 #
RFC1918
> possible internal network
> 2013/12/09 18:17:57| Processing: acl localnet src fc00::/7       # RFC
4193 local
> private network range
> 2013/12/09 18:17:57| Processing: acl localnet src fe80::/10      # RFC
4291 link-
> local (directly plugged) machines
> 2013/12/09 18:17:57| Processing: acl SSL_ports port 443
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 80 #
http
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 21 #
ftp
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 443 #
> https
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 70 #
> gopher
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 210 #
wais
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 1025-65535 #
> unregistered ports
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 280 #
> http-mgmt
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 488 #
gss-
> http
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 591 #
> filemaker
> 2013/12/09 18:17:57| Processing: acl Safe_ports port 777 #
> multiling http
> 2013/12/09 18:17:57| Processing: acl CONNECT method CONNECT
> 2013/12/09 18:17:57| Processing: http_access deny !Safe_ports
> 2013/12/09 18:17:57| Processing: http_access allow localhost manager
> 2013/12/09 18:17:57| Processing: http_access deny manager
> 2013/12/09 18:17:57| Processing: http_access allow localnet
> 2013/12/09 18:17:57| Processing: http_access allow localhost
> 2013/12/09 18:17:57| Processing: http_access allow all
> 2013/12/09 18:17:57| Processing: http_port 4128 ssl-bump  generate-host-
> certificates=on  cert=/etc/ssl/demoCA/CA/cacert.pem
> key=/etc/ssl/demoCA/CA/cacert.key
> 2013/12/09 18:17:57| Processing: ssl_bump server-first all
> 2013/12/09 18:17:57| Processing: sslcrtd_program
/usr/local/libexec/ssl_crtd
> -s /usr/local/var/lib/ssl_db
> 2013/12/09 18:17:57| Processing: sslcrtd_children 5
> 2013/12/09 18:17:57| Processing: always_direct allow all
> 2013/12/09 18:17:57| Processing: coredump_dir /usr/local/var/cache/squid
> 2013/12/09 18:17:57| Processing: refresh_pattern ^ftp:
1440
> 20% 10080
> 2013/12/09 18:17:57| Processing: refresh_pattern ^gopher: 1440 0%
> 1440
> 2013/12/09 18:17:57| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%
> 0
> 2013/12/09 18:17:57| Processing: refresh_pattern . 0
20%
> 4320
> 2013/12/09 18:17:57| Initializing https proxy context
> 2013/12/09 18:17:57| Initializing http_port [::]:4128 SSL context
> 2013/12/09 18:17:57| Using certificate in /etc/ssl/demoCA/CA/cacert.pem
> 2013/12/09 18:17:57| storeDirWriteCleanLogs: Starting...
> 2013/12/09 18:17:57|   Finished.  Wrote 0 entries.
> 2013/12/09 18:17:57|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for http_port
[::]:4128 Squid
> Cache (Version 3.3.10): Terminated abnormally.
> CPU Usage: 0.008 seconds = 0.008 user + 0.000 sys Maximum Resident Size:
> 25808 KB
> Page faults with physical i/o: 0
Received on Tue Dec 10 2013 - 12:02:22 MST