Re: [squid-users] problems with ssl_crtd

From: Linos <info_at_linos.es>
Date: Thu, 20 Sep 2012 13:08:12 +0200

On 20/09/12 12:58, Ahmed Talha Khan wrote:
> Hey Guy, All
>
> I have started facing a very similar issue now.I have been using
> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
> Suddenly from yesterday ive started getting crahses in ssl_crtd
> process.
>
>
> In my case i am the only user but i observe that the behaviour is
> random. Sometimes it crashes and sometimes it works. Different https
> pages give the crash. Even non https pages have caused the crash.
>
> These occur especially on google https pages like docs,mail,calender etc..
>
> The signing cert is also ok and has NOT expired.
>
>
> My squid conf looks like this:
> *******************************************************
> sslproxy_cert_error allow all
>
> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
>
> http_port 192.168.8.134:8080
>
> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/asif/squid/www.sample.com.pem
> key=/home/asif/squid/www.sample.com.pem
> *******************************************************
>
> The ssl_db directory is initialized properly with correct permissions.
>
> ***********************************************************
> [talha_at_localhost lib]$ pwd
> /usr/local/squid-3.3/var/lib
>
> [talha_at_localhost lib]$ ls -al
> total 24
> drwxrwxrwx 3 root root 4096 Sep 20 15:31 .
> drwxrwxrwx 6 root root 4096 Sep 20 15:05 ..
> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>
> The size file also has some values in it and cert generation also
> seems to work but suddenly it all crashes .
> **************************************************************
>
>
>
> 2012/09/20 14:57:45| Starting Squid Cache version
> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
> 2012/09/20 14:57:45| Process ID 23826
> 2012/09/20 14:57:45| Process Roles: master worker
> 2012/09/20 14:57:45| With 1024 file descriptors available
> 2012/09/20 14:57:45| Initializing IP Cache...
> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
> 2012/09/20 14:57:45| Logfile: opening log
> daemon:/usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile Daemon: opening log
> /usr/local/squid-3.3/var/logs/access.log
> 2012/09/20 14:57:45| Logfile: opening log /usr/local/squid-3.3/var/logs/icap-log
> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>
>
> 2012/09/20 14:57:45| Store logging disabled
> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2012/09/20 14:57:45| Target number of buckets: 1008
> 2012/09/20 14:57:45| Using 8192 Store buckets
> 2012/09/20 14:57:45| Max Mem size: 262144 KB
> 2012/09/20 14:57:45| Max Swap size: 0 KB
> 2012/09/20 14:57:45| Using Least Load store dir selection
> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
> 2012/09/20 14:57:45| Loaded Icons.
> 2012/09/20 14:57:45| HTCP Disabled.
> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
> Permission denied
> 2012/09/20 14:57:45| WARNING: Could not write pid file
> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
> 2012/09/20 14:57:45| Adaptation support is on
> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
> local=192.168.8.134:3128 remote=[::] FD 20 flags=9
> 2012/09/20 14:57:45| Accepting HTTP Socket connections at
> local=192.168.8.134:8080 remote=[::] FD 21 flags=9
> 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at
> local=192.168.8.134:3129 remote=[::] FD 22 flags=9
> 2012/09/20 14:57:46| storeLateRelease: released 0 objects
>
> (ssl_crtd): Cannot create ssl certificate or private key.
> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>
> 2012/09/20 14:58:23| Starting new helpers
> 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes
> 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply:
> "ssl_crtd" helper return <NULL> reply
> (ssl_crtd): Cannot create ssl certificate or private key.
>
> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
> 2012/09/20 14:58:23| Finished. Wrote 0 entries.
> 2012/09/20 14:58:23| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally.
> CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys
> Maximum Resident Size: 71104 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena: 11924 KB
> Ordinary blocks: 11818 KB 49 blks
> Small blocks: 0 KB 0 blks
> Holding blocks: 664 KB 2 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 105 KB
>

Maybe i would have added that the pages i am testing to crash squid are google
ones, https://www.google.com and an google apps one. i did not tried with other
ssl sites to say the truth because this are the ones my users load.

Regards,
Miguel Angel.
Received on Thu Sep 20 2012 - 11:08:23 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 21 2012 - 12:00:04 MDT