I was able to get ssl to work before using test certs, and here is my output...
/usr/local/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE3 configure options: --prefix=/usr/local/squid --enable-ssl
also used the ssl patch on the source then compiled.
Thanks very much for getting back so quickly!
jg
On Tuesday, August 26, 2003, at 08:07 PM, Henrik Nordstrom wrote:
The Thawte guide for Apache mod_ssl works just fine for Squid, and their instructions does generate a PEM formatted CSR... and Thawte gives you a PEM formatted certificate back if you follow this procedure.
The Apache guys have not confused the file formats. Apache mod_ssl wants PEM formatted certificates just as Squid. This is different from the DER format expected by many others but has the major benefit that the certificate can be exchanged in plain text email etc..
However, if you have a CA which insists in binary DER certificates then OpenSSL have options to convert these to/from PEM format if needed.
The error you are seeing probably means that your Squid binary is not SSL enabled.. what does "squid -v" say about your configure options? And is there any comments regarding configure options next to the https_port option in your squid.conf.default?
Regards Henrik
On Tuesday 26 August 2003 23.24, Jonathan Giles wrote:hello:
I have a working config for an https accel setup, but I have hit a big problem. I have looked over the lists and have not found how other people deal with this.
I work with Thawte.com to get other certs for other https (apache) servers, and they have told me they do not accept PEM anything. And I understand that the csr must be in PEM for a CA to issue a PEM crt. Thawte has told me it will be really hard to find a CA that accepts PEM.
How have other people here delt with this?
Here attached is Thawte's response to my request.
"Hi Jonathan
The PEM format requirement is misleading, as the PEM format mentioned actually refers to a standard DER format certificate, the guys developing the Apache standards seem to have confused the file types. Therefore since you are able to generate standard format CSRs, squid should also work with standard format certificates, even though Apache and squid are not the same they share the same openssl libraries.
What error message do you receive when you restart the daemon? Please send us the error logs."
Of course my logs just say Bungled conf file at the config
Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port 443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt key=/etc/openssl/private/owa.clinedavis.com.key
This is using the crt and key that was created using Thawte's directions.
Any suggestions would be greatly appreciated!
jg
---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.