[squid-users] Dynamic Certs - No Valid SSL Signing Cert

From: Jesse Smith <jessesmith_at_affinitygs.com>
Date: Wed, 17 Oct 2012 14:09:02 -0500

When trying to generate dynamic certs using ssl-bump and Squid 3.3, we
are getting the "No Valid SSL Signing Cert .." message, though the path
to the cert is correct, as is the permissions on the cert file.

We are trying to use a CA cert for the purpose of signing the
dynamically generated cert. The Squid config is for https port is below:

=============================================================
https_port 10.1.10.136:443 ssl-bump intercept
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/var/ssl_db/certs/DigiCertHighAssuranceEVRootCA.crt
vhost
=============================================================

Does anyone know why this cert would not be a valid signing cert? It
works when using a self-signed cert, but get the message Protocol error
(TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT), because the signing
cert is not trusted to sign the generated cert, hence going with the CA
cert for trusted signing.

Thanks,
Jesse
Received on Wed Oct 17 2012 - 19:09:10 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 18 2012 - 12:00:03 MDT