Hi, Raf. Just checking on two my servers - works like charm without any movings :) I'm already have good intermediate CA's bundle :)
08.09.2017 3:42, Rafael Akchurin пишет: > Hello LA, Yuri, > > The server analysis at > https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest > shows the certificate chain presented by the remote server is indeed > incomplete, specifically the following certificate is not presented: > > --- > Symantec Class 3 Secure Server CA - G4 > Fingerprint SHA256: > eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17 > Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY= > RSA 2048 bits (e 65537) / SHA256withRSA > --- > > Adding it to the intermediate certificate file as indicated on > https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended > and reloading Squid 3.5.23 allows to successfully see and bump the site. > > Our UI generates exactly the same config setting as you have tried: > sslproxy_foreign_intermediate_certs > /opt/websafety/etc/squid/foreign_intermediate_certs.pem > > So it must be working :) > > Best regards, > Rafael Akchurin > Diladele B.V. > > > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of L A Walsh > Sent: Thursday, September 7, 2017 11:15 PM > To: squid-us...@squid-cache.org > Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas > on what I'm doing wrong? > > Got an error message from squid where I'm doing https-bumping: > > -------------------------- > The following error was encountered while trying to retrieve the URL: > https://help.ea.com/ > > *Failed to establish a secure connection to 52.0.220.87* > > The system returned: > > (71) Protocol error (TLS code: > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec > Class 3 Secure Server CA - G4 > > This proxy and the remote host failed to negotiate a mutually acceptable > security settings for handling your request. It is possible that the remote > host does not support secure connections, or the proxy is not satisfied with > the host security credentials. > > -------------------------------- > > Googling found: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html > > Used openssl.com to get the intermediate certs (2 hosts are referenced in > parallel chains). The two certs looked like: > > -----BEGIN CERTIFICATE----- > ...hexstuff== > -----END CERTIFICATE----- > > > Added the certs to a file and that filename to my squid.conf on a line: > > sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem > > restarted squid, but am still getting same error. > > Am I missing some obvious step? > > Looking for a clue... ;-) > > Thanks! > -l > > > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
