Re: [squid-users] Dynamic SSL Certificate Generation

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 25 Nov 2012 17:31:00 +1300

On 25/11/2012 6:57 a.m., Aleksandr Tatarinov wrote:
> I am trying to get SSL bumping to work on my CentOS system.
>
> I am using these options in my squid.conf
>
> http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
>
>
> Here is the output of cache.log
>
> 2012/11/24 00:57:39| Starting Squid Cache version 3.2.3 for x86_64-unknown-linux-gnu...
> 2012/11/24 00:57:39| Process ID 53204
> 2012/11/24 00:57:39| Process Roles: master worker
> 2012/11/24 00:57:39| With 1024 file descriptors available
> 2012/11/24 00:57:39| Initializing IP Cache...
> 2012/11/24 00:57:39| DNS Socket created at [::], FD 5
> 2012/11/24 00:57:39| DNS Socket created at 0.0.0.0, FD 6
> 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf
> 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf
> 2012/11/24 00:57:39| Adding nameserver 192.168.253.2 from /etc/resolv.conf
> 2012/11/24 00:57:39| helperOpenServers: Starting 5/5 'ssl_crtd' processes
> (ssl_crtd):
> Uninitialized SSL certificate database directory:
> /usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
> /usr/local/squid/var/lib/ssl_db".
> (ssl_crtd): Uninitialized SSL
> certificate database directory: /usr/local/squid/var/lib/ssl_db. To
> initialize, run "ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db".
> (ssl_crtd):
> Uninitialized SSL certificate database directory:
> /usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
> /usr/local/squid/var/lib/ssl_db".
> 2012/11/24 00:57:39| Logfile: opening log daemon:/var/log/access.log
> 2012/11/24 00:57:39| Logfile Daemon: opening log /var/log/access.log
> 2012/11/24 00:57:39| Store logging disabled
> 2012/11/24 00:57:39| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2012/11/24 00:57:39| Target number of buckets: 1008
> 2012/11/24 00:57:39| Using 8192 Store buckets
> 2012/11/24 00:57:39| Max Mem size: 262144 KB
> 2012/11/24 00:57:39| Max Swap size: 0 KB
> 2012/11/24 00:57:39| Using Least Load store dir selection
> 2012/11/24 00:57:39| Set Current Directory to /var/cache/squid
> (ssl_crtd):
> Uninitialized SSL certificate database directory:
> /usr/local/squid/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
> /usr/local/squid/var/lib/ssl_db".
> (ssl_crtd): Uninitialized SSL
> certificate database directory: /usr/local/squid/var/lib/ssl_db. To
> initialize, run "ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db".
> 2012/11/24 00:57:39| Loaded Icons.
> 2012/11/24 00:57:39| HTCP Disabled.
> 2012/11/24 00:57:39| Squid plugin modules loaded: 0
> 2012/11/24 00:57:39| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9
> 2012/11/24 00:57:39| WARNING: ssl_crtd #1 exited
> 2012/11/24 00:57:39| Too few ssl_crtd processes are running (need 1/5)
> 2012/11/24 00:57:39| Closing HTTP port [::]:3128
> 2012/11/24 00:57:39| storeDirWriteCleanLogs: Starting...
> 2012/11/24 00:57:39| Finished. Wrote 0 entries.
> 2012/11/24 00:57:39| Took 0.00 seconds ( 0.00 entries/sec).
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.2.3): Terminated abnormally.
> CPU Usage: 0.051 seconds = 0.023 user + 0.028 sys
> Maximum Resident Size: 44192 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena: 4908 KB
> Ordinary blocks: 4848 KB 8 blks
> Small blocks: 0 KB 1 blks
> Holding blocks: 664 KB 2 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 59 KB
> Total in use: 5512 KB 112%
> Total free: 59 KB 1%
>
>
> I see that it complains about the certificate db which is not initialized, so I run:
> [root_at_localhost ssl_cert]# /usr/lib/squid/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db
> Initialization SSL db...
> /usr/lib/squid/ssl_crtd: Cannot create /usr/local/squid/var/lib/ssl_db
>
> I have the correct ownership and file permissions set to /usr/local/squid/var/lib/ssl_db
> [root_at_localhost ssl_cert]# ls -l /usr/local/squid/var/lib/
> total 4
> drwxr-xr-x. 2 proxy proxy 4096 Nov 24 00:48 ssl_db
>
> How can I get this to work?

group/other do not have write permissions so root cannot create things
in there. Try running the tool as the proxy user.

Amos
Received on Sun Nov 25 2012 - 04:31:11 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 25 2012 - 12:00:04 MST