What cert error page do you get?
from the browser or with squid logo?
try to use only these directives:
##start
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/ssl_cert/ssl_db
-M 16MB
sslcrtd_children 5
# # SSL Settings
ssl_bump server-first all
sslproxy_cert_error deny all
#sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10
##end
The only issue is that in order for the browser to work with squid you
need to install the der certificate in the OS or browser.
What browser are you using?
Eliezer
On 10/15/2013 05:01 PM, Derek Pinkston wrote:
> Fresh install on CentOS 6.4, Squid Version 3.4.0.2. As the Subject
> states all HTTP works fine. HTTPS will throw cert errors all over the
> browser. The logs are showing no errors as well as squid -k parse.
> When attempting to access a secure site the access.log does not show
> that activity. The browser throws a cert error and looking at the cert
> it's the one from the squid machine rather than Dynamic SSL
> Certificate Generation.
>
> I checked the Cert dir and the server is downloading the certs from
> other sites. Pasted below is my squid.conf If I'm forgetting
> anything or you need me to post anything else let me know.
>
> Thanks in advance for any help!
>
> acl localnet src 10.1.0.0/16 # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
>
> http_access deny all
>
> http_port 10.1.4.1:3128 intercept
> http_port 3128
> https_port 10.1.4.1:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/myconfigure.pem key=/etc/squid/myconfigure.pem
> ssl_bump server-first all
> always_direct allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
>
> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> redirect_children 1
>
> access_log /var/log/squid/access.log squid
>
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
Received on Tue Oct 15 2013 - 16:30:51 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 15 2013 - 12:00:06 MDT