Thank you to everyone who replied trying to help. I ended up using Apache with mod_proxy instead, so I am no longer stuck on this.
John > On Oct 7, 2025, at 4:52 PM, Alex Rousskov <[email protected]> > wrote: > > On 2025-10-07 14:01, John Brayton wrote: >> Yes, curl trusts the same wildcard certificate when it is >> presented by an nginx server. > > How do you know that curl sees the same certificate chain in both tests? > > I am guessing that you have tried to use the same certificate chain in both > Squid and nginx configurations, but the question is about what curl sees/gets. > > It is unlikely that curl would receive the same certificate chain but only > trust the chain "presented by an nginx server". Most likely, something > differs in those two chains/cases. For example, nginx sends an intermediate > certificate as a part of that chain while Squid does not. Or the order of > certificates in that chain differs. The pointers in my earlier response may > help you tease out that critical difference. > > > HTH, > > Alex. > > >> On Tue, Oct 7, 2025 at 1:52 PM Alex Rousskov wrote: >>> >>> On 2025-10-07 13:21, John Brayton wrote: >>>> I am setting up a Squid proxy server. It needs to be available on a >>>> public IP address, so I need traffic between the client and the proxy >>>> to be secure. I have a wildcard SSL certificate from a certificate >>>> authority (Namecheap). I have these files: >>>> >>>> - A key file with an RSA key >>>> - A certificate file >>>> - A certificate chain file, with the signing certificates from Namecheap >>>> - A combined file that includes both the certificate file and the >>>> certificate chain file. >>>> >>>> All these files are in PEM format. I am trying to work out how to >>>> configure squid to use these files as expected. As it stands, I have: >>>> >>>> https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem >>>> When using a curl client, I issue this: >>>> >>>> curl -i -x https://[proxyhost]:8888 [website_url] >>>> >>>> I get this response: >>>> >>>> curl: (60) SSL certificate problem: unable to get local issuer certificate >>>> More details here: https://curl.se/docs/sslcerts.html >>>> >>>> curl failed to verify the legitimacy of the server and therefore could not >>>> establish a secure connection to it. To learn more about this situation and >>>> how to fix it, please visit the web page mentioned above. >>>> >>>> I get the same error regardless of whether website_url is an HTTP URL >>>> or an HTTPS URL, so I assume the issue is not the website. >>>> >>>> How do I make the squid server trusted by clients? >>> >>> Does your curl client trust Namecheap? If not, see curl documentation >>> mentioned in the error message you have quoted above. That documentation >>> explains how to make curl (and other clients) trust a certificate >>> authority that they do not already trust. >>> >>> The same documentation can be used to confirm that trusting Namecheap >>> certificate authority is enough; see --proxy-cacert command line option. >>> >>> Using `openssl s_client` or examining curl-Squid traffic with a tool >>> like Wireshark may help you see what certificate curl cannot validate. >>> Newer curl versions support `curl --write-out '%{certs}'`, but I do not >>> know whether `certs` write-out variable works for proxy certificates. >>> >>> >>> HTH, >>> >>> Alex. >>> > _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
