Re: [squid-users] Squid 3.3.8 https problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 22 Dec 2013 17:35:04 +1300

On 20/12/2013 8:49 p.m., 0bj3ct wrote:
> Hello!
>
> + I've got squid source from ubuntu repo. (apt-get source squid3)
> + Then added --enable-ssl and --enable-ssl-crtd in /debian/rules file

Do you have the libssl and libssl-dev packages also installed at this time?

> + Then run the command "debuil -us -uc"
> + Installed squid3*.deb squid3-common*.deb squidclient*deb
>
> + Created Certificate with command:
> "openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem
> -out myCA.pem"

You are following this right?
  http://wiki.squid-cache.org/Features/DynamicSslCert

>
> + When I run "squid3 -v" I can see "--enable-ssl --enable-ssl-crtd" between
> configure options
>
> + I configured my squid.conf file as follow:
> #######################################################################
> cl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
>
> http_access allow spring_url all
> http_access allow localhost manager
> http_access allow allow_mac
> http_access allow Safe_ports allow_mac
> http_access allow CONNECT SSL_ports allow_mac
> http_access allow localhost
> http_access deny all
>
>
> http_port 3129
> http_port 3128 intercept
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid3/ssl_cert/myCA.pem
> ssl_bump server-first all
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/squid3/ssl_db -M 4MB
> sslcrtd_children 5
>
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
>
> coredump_dir /var/spool/squid3
>
> cache_mem 512 MB
>
> cache_dir ufs /var/spool/squid3 100 16 256
> #######################################################################
>
>
>
> When I start squid in cache.log:
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

This usually happens when the certificate cache (which you have placed
in /usr/lib/squid3/ssl_db) is either missing, or broken somehow.

Please erase it are rebuild:

 rm -rf /usr/lib/squid3/ssl_db/*
 su ${PROXY USER ACCOUNT}
 /usr/lib/squid3/ssl_crtd -c -s /usr/lib/squid3/ssl_db
 exit

 ... add -d option to the ssl_crtd command line options in squid.conf.
This will give you debug otput about what its doing for solving any
future problems.

 ... then re-start Squid.

Amos
Received on Sun Dec 22 2013 - 04:35:19 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 22 2013 - 12:00:04 MST