Re: [squid-users] FATAL: No valid signing SSL certificate configured for https_port

Here is my entries for ssl-bump:

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

In many cases you will need to recreate the certificates as copying them
over does not always work, or are tied to that specific machine via
encryption.

Also it helps to set the proxy as different ports such as 3128 or 8080
instead of trying to use 80 and 443, as those are for server based
websites, not proxies, and generally causes more problems in the long
run. Most servers see an incoming connection to port 80 or 443 and tries
to respond via Apache.

Mike

On 6/29/2014 1:30 PM, John Gardner wrote:
> I wonder if some of you can help me in figuring out an issue. For the
> last three years, we've had a Squid Reverse Proxy running on
> Oracle Linux 5 (64 bit) with version 2.6 of Squid (which came with the
> distro) and it's been a total success and never missed a beat.
>
> Now, I realised that this version is getting old so I thought I would
> install a more recent version and get some more features as well,
> I installed the 32 bit version of Eliezer's 3.4.3 RPM and managed to
> get everything back up an running successfully. However, when
> I was testing this environment I noticed that every so often in the
> log I got a FATAL: Received Segment Violation...dying. message and
> then
> Squid just stopped responding. So, I then decided to build a version 6
> version of Oracle Linux instance and then install the 64 bit 3.4.3 RPM
> on it,
> copying over all of the config and certficates.
>
> Now I've got a new problem, although Squid now starts successfully
> when I only put http_port into the squid.conf, when I add https_port
> entries
> I get the following message;
>
> FATAL: No valid signing SSL certificate configured for https_port
> 10.x.x.95:443 and Squid terminates.
>
> Does anyone know why I'm getting this issue? Would it be because in
> moving from OEL 5 to OEL 6 I've also moved from OpenSSL 0.98 to
> OpenSSL 1.0
> and the certificate formats are now different or is it something else?
>
> All help greatly appreciated.
>
> John
>
Received on Sun Jun 29 2014 - 18:51:07 MDT