Re: [squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Fri, 23 Jan 2015 12:08:53 -0800 

For a Red Hat/CentOS based OS, selinux causes that.

The fix I found in this case:
Before the below “audit2allow” command will work, you will need to install the needed tool for selinux: 

* yum -yinstall policycoreutils-python
(which will also install a few other dependencies).

To temporarily set selinux to permissive:

* echo 0 >/selinux/enforce

To re-enable after it is fixed:
* echo 1 >/selinux/enforce
Check the /var/log/audit/audit.log for the type=AVC relating to the ssl_crtd entries (easy way is "grep AVC audit.log | less" ). 

To find out WHY it is happening in selinux, use this:
grep ssl_crtd /var/log/audit/audit.log | audit2allow -w


Start in /tmp/ folder since we will not need these files for long.
* grep ssl_crtd /var/log/audit/audit.log | audit2allow -m ssl_crtdlocal > ssl_crtdlocal.te - outputs the suggested settings into the file ssl_crtdlocal.te, which we will review below in “cat” 
* cat ssl_crtdlocal.te
- to review the created file and show what will be donein selinux
* grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
- Note the capital M, this Makes the needed file, ready for selinux to import, and then the next command below actually enables it. 
* semodule -i ssl_crtdlocal.pp
- Used to enable the new policy in selinux
As long as it is now working properly, can delete the *.te and *.pp files created in the /tmp/ folder.
Now all of this is mute if selinux is not used so there may likely be other explanations, but this at least covers RedHat based OS's with selinux. I documented all of this since our servers ran into the same issue due to selinux, and this was how we resolved it. 


Mike



On 1/22/2015 6:17 AM, HackXBack wrote:

hello,
every day i found this error and my cache stop

then i remove the ssl database then restart squid

next day the problem happen again ,
am using squid 3.4.11

what may cause this problem ?

thanks.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly-need-help-tp4669257.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to