Re: [squid-users] certificate issuer not known

[Majed Zouhairy]

solved the issue with this guide:

https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

but needs different commands for tumbleweed



On 6/23/21 2:56 PM, Majed Zouhairy wrote:

Health be upon you,
when visiting
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

on squid 4.15

it displays:


ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://wiki.squid-cache.org/*

     Failed to establish a secure connection to 104.130.201.120

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=R3

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is webmaster.

configuration:

http_port 3128 ssl-bump  cert=/etc/squid/certs/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=8MB

acl     tls_s1_connect        at_step SslBump1
acl     tls_s2_client_hello     at_step SslBump2
acl     tls_s3_server_hello     at_step SslBump3

# define acls for sites that must not be actively bumped

acl     tls_allowed_hsts    ssl::server_name             .akamaihd.net
acl     tls_allowed_hsts    ssl::server_name             .proxy.skko.by
#acl     tls_server_is_bank     ssl::server_name     .abnamro.nl
#acl     tls_server_is_bank     ssl::server_name     .abnamro.comacl

tls_server_is_bank         ssl::server_name "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"

acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump     peek    tls_s1_connect     # peek at TLS/SSL connect data
ssl_bump     splice     tls_to_splice    # splice some: no active bump
ssl_bump     stare     all        # stare(peek) at server

                                                        # properties of the webserver

ssl_bump     bump    # bump if we can (if the stare succeeded)



#ssl_bump peek all
#ssl_bump splice all

##ssl_bump server-first all

#sslproxy_cert_error allow all



cache_dir ufs /var/cache/squid 8000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 960 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:            1440    20%    10080
refresh_pattern ^gopher:        1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?)     0    0%    0
refresh_pattern .            0    20%    4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\"" url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l /var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4 queue-size=64
#debug_options ALL,1 33,2 28,9

what needs to be done to fix?

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users