[squid-users] certificate issuer not known

Wed, 23 Jun 2021 04:57:05 -0700 


Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

on squid 4.15

it displays:


ERROR
The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: 
https://wiki.squid-cache.org/*


    Failed to establish a secure connection to 104.130.201.120

The system returned:


    (71) Protocol error (TLS code: 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)



    SSL Certficate error: certificate issuer (CA) not known: 
/C=US/O=Let's Encrypt/CN=R3



This proxy and the remote host failed to negotiate a mutually acceptable 
security settings for handling your request. It is possible that the 
remote host does not support secure connections, or the proxy is not 
satisfied with the host security credentials.


Your cache administrator is webmaster.

configuration:


http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB




acl     tls_s1_connect          at_step SslBump1
acl     tls_s2_client_hello     at_step SslBump2
acl     tls_s3_server_hello     at_step SslBump3

# define acls for sites that must not be actively bumped

acl     tls_allowed_hsts        ssl::server_name                        
.akamaihd.net
acl     tls_allowed_hsts        ssl::server_name                        
.proxy.skko.by
#acl    tls_server_is_bank      ssl::server_name        .abnamro.nl
#acl    tls_server_is_bank      ssl::server_name        .abnamro.comacl

tls_server_is_bank 		ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl     tls_to_splice   any-of  tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump        peek    tls_s1_connect  # peek at TLS/SSL connect data
ssl_bump        splice  tls_to_splice   # splice some: no active bump
ssl_bump        stare   all             # stare(peek) at server
                                                                                
                                # properties of the webserver
ssl_bump         bump   # bump if we can (if the stare succeeded)



#ssl_bump peek all
#ssl_bump splice all

##ssl_bump server-first all

#sslproxy_cert_error allow all



cache_dir ufs /var/cache/squid 8000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 960 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:                   1440    20%     10080
refresh_pattern ^gopher:                1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?)       0       0%      0
refresh_pattern .                       0       20%     4320


url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9

what needs to be done to fix?
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to