RE: [squid-users] ssl_crtd reporting certificate database as uninitialized

From: Jason A. Sloan <jason_sloan_at_oh.rr.com>
Date: Mon, 21 Jan 2013 17:16:15 -0500

Has some time to play around again. SELinux was the culprit, Set to
permissive and it launched without issue. Now to sort out Kerberos.....

When I revisit SELinux (after Kerberos and ICAP) I'll mail back what I did
to make it SELinux friendly again.

> -----Original Message-----
> From: Jason A. Sloan [mailto:jason_sloan_at_oh.rr.com]
> Sent: Friday, January 11, 2013 5:30 PM
> To: 'Ahmed Talha Khan'
> Cc: 'squid-users_at_squid-cache.org'
> Subject: RE: [squid-users] ssl_crtd reporting certificate database as
> uninitialized
>
> So I found that the server comes up and stays up if I run:
>
> sudo -u squid /usr/sbin/squid -f /etc/squid/squid.conf
>
> or as root:
>
> /usr/sbin/squid -f /etc/squid/squid.conf
>
> # /usr/sbin/squid -f /etc/squid/squid.conf # ps -ef | grep squid
> root 30358 1 0 17:20 ? 00:00:00 /usr/sbin/squid -f
> /etc/squid/squid.conf
> squid 30360 30358 0 17:20 ? 00:00:00 (squid-1) -f
/etc/squid/squid.conf
> squid 30361 30360 0 17:20 ? 00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -
> M 4MB -b 4096
> squid 30362 30360 0 17:20 ? 00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -
> M 4MB -b 4096
> squid 30363 30360 0 17:20 ? 00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -
> M 4MB -b 4096
> squid 30364 30360 0 17:20 ? 00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -
> M 4MB -b 4096
> squid 30365 30360 0 17:20 ? 00:00:00 (ssl_crtd) -d -s
/var/squid/ssl_db -
> M 4MB -b 4096
> squid 30366 30360 0 17:20 ? 00:00:00 (logfile-daemon)
> /var/log/squid/access.log
> root 30368 29619 0 17:20 pts/0 00:00:00 grep squid
>
> So it appears the UID is not properly switching when running as root from
> startup?
>
> Contents of /etc/init.d/squid (no modifications made by me)
> http://pastebin.com/UeehzMH6
>
> squid.conf excerpt:
> cache_effective_user squid
> cache_effective_group squid
>
> > -----Original Message-----
> > From: Jason A. Sloan [mailto:jason_sloan_at_oh.rr.com]
> > Sent: Thursday, January 10, 2013 8:29 AM
> > To: 'Ahmed Talha Khan'
> > Cc: 'squid-users_at_squid-cache.org'
> > Subject: RE: [squid-users] ssl_crtd reporting certificate database as
> > uninitialized
> >
> > # pwd
> > /var
> > # ll
> > ...
> > drwxr-xr-x. 3 squid squid 4096 Jan 9 21:29 squid ...
> > # cd squid
> > # ll
> > drwxr-xr-x. 3 squid nobody 4096 Jan 9 21:29 ssl_db # cd ssl_db # ll
> > drwxr-xr- x. 2 squid nobody 4096 Jan 9 21:29 certs
> > -rw-r--r--. 1 squid nobody 0 Jan 9 21:29 index.txt
> > -rw-r--r--. 1 squid nobody 8 Jan 9 21:29 serial
> > -rw-r--r--. 1 squid nobody 1 Jan 9 21:29 size
> >
> >
> > > -----Original Message-----
> > > From: Ahmed Talha Khan [mailto:auny87_at_gmail.com]
> > > Sent: Thursday, January 10, 2013 4:26 AM
> > > To: Jason A. Sloan
> > > Cc: squid-users_at_squid-cache.org
> > > Subject: Re: [squid-users] ssl_crtd reporting certificate database
> > > as uninitialized
> > >
> > > Are the parent directories of ssl_db writeable by the squid user?You
> > > might want to look at that too
> > >
> > > On Thu, Jan 10, 2013 at 7:40 AM, Jason A. Sloan
> > > <jason_sloan_at_oh.rr.com>
> > > wrote:
> > > > No joy.
> > > >
> > > > I initially ran the ssl_crtd command as root before using sudo to
> > > > run it as the squid user. Regardless I tried that to no avail.
> > > >
> > > > As root:
> > > >
> > > > Deleted existing ssl_db implementation.
> > > >
> > > > /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization SSL
> > > > db...
> > > > Done
> > > >
> > > > chown -R squid:nobody ssl_db/
> > > >
> > > > Attempt to start died with same error message:
> > > > (ssl_crtd): Uninitialized SSL certificate database directory:
> > > > /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > > ...
> > > > FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> > > >
> > > > -----Original Message-----
> > > > From: Ahmed Talha Khan [mailto:auny87_at_gmail.com]
> > > > Sent: Wednesday, January 09, 2013 1:56 PM
> > > > To: Jason A. Sloan
> > > > Cc: squid-users_at_squid-cache.org
> > > > Subject: Re: [squid-users] ssl_crtd reporting certificate database
> > > > as uninitialized
> > > >
> > > > Try to create the ssl_db without sudo . There seems to be a
> > > > problem with the permissions on that directory. Also change the
> > > > group ownership of ssl_db to "nobody". I hope that helps
> > > >
> > > > On Wed, Jan 9, 2013 at 11:38 PM, Jason A. Sloan
> > > > <jason_sloan_at_oh.rr.com>
> > > > wrote:
> > > >> I'm setting up dynamic SSL cert generation on a Centos 6.3 (i686)
> > > >> platform but I can't seem to get ssl-crtd to believe it's
initialized.
> > > >> Perhaps I'm missing something. Either way I could use another set
> > > >> of eyes
> > > > / ideas.
> > > >>
> > > >> I have compiled the latest stable release (3.2.5) and installed it.
> > > >> Packaged release was not compiled with --enable-ssl-crtd.
> > > >>
> > > >> When starting squid I get a message in cache.log from ssl-crtd
> > > >> that it believes the SSL Certificate database is uninitialized..
> > > >>
> > > >> However I have executed the following:
> > > >>
> > > >> sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db
> > > >> Initialization SSL db...
> > > >> Done
> > > >>
> > > >> I can even execute ssl-crtd outside of squid and get a response..
> > > >>
> > > >> sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> > > >> new_certificate 13 host=test.com OK 1531 -----BEGIN
> > > >> CERTIFICATE----- MIIBmDCC. -----END CERTIFICATE----- -----BEGIN
> > > >> PRIVATE KEY----- MIICdgIBADANBgkqhki. -----END PRIVATE KEY-----
> > > >> ^C
> > > >>
> > > >> I have even attemted to chmod -R 777 /var/squid/ssl_db with no
> > success.
> > > >>
> > > >> 2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
> > > >> i686-pc-linux-gnu...
> > > >> 2013/01/09 12:49:37 kid1| Process ID 26793
> > > >> 2013/01/09 12:49:37 kid1| Process Roles: worker
> > > >> 2013/01/09 12:49:37 kid1| With 16384 file descriptors available
> > > >> 2013/01/09 12:49:37 kid1| Initializing IP Cache...
> > > >> 2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
> > > >> 2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
> > > >> 2013/01/09 12:49:37 kid1| Adding domain gaming.local from
> > > >> /etc/resolv.conf
> > > >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> > > >> /etc/resolv.conf
> > > >> 2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from
> > > >> /etc/resolv.conf
> > > >> 2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5
'ssl_crtd'
> > > >> processes
> > > >> 2013/01/09 12:49:37 kid1| Logfile: opening log
> > > >> daemon:/var/log/squid/access.log
> > > >> 2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
> > > >> /var/log/squid/access.log
> > > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > >> (ssl_crtd): Uninitialized SSL certificate database directory:
> > > >> /var/squid/ssl_db. To initialize, run "ssl_crtd -c -s
/var/squid/ssl_db".
> > > >> 2013/01/09 12:49:37 kid1| Local cache digest enabled;
> > > >> rebuild/rewrite every
> > > >> 3600/3600 sec
> > > >> 2013/01/09 12:49:37 kid1| Store logging disabled
> > > >> 2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated
> > > >> 20164 objects
> > > >> 2013/01/09 12:49:37 kid1| Target number of buckets: 1008
> > > >> 2013/01/09 12:49:37 kid1| Using 8192 Store buckets
> > > >> 2013/01/09 12:49:37 kid1| Max Mem size: 262144 KB
> > > >> 2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
> > > >> 2013/01/09 12:49:37 kid1| Using Least Load store dir selection
> > > >> 2013/01/09 12:49:37 kid1| Set Current Directory to
> > > >> /var/spool/squid
> > > >> 2013/01/09 12:49:37 kid1| Loaded Icons.
> > > >> 2013/01/09 12:49:37 kid1| HTCP Disabled.
> > > >> 2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
> > > >> 2013/01/09 12:49:37 kid1| Adaptation support is off.
> > > >> 2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket
> > > >> connections at
> > > >> local=[::]:3128 remote=[::] FD 21 flags=9
> > > >> 2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
> > > >> 2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running
> > > >> (need
> > > >> 1/5)
> > > >> 2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
> > > >> 2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
> > > >> 2013/01/09 12:49:37 kid1| Finished. Wrote 0 entries.
> > > >> 2013/01/09 12:49:37 kid1| Took 0.00 seconds ( 0.00 entries/sec).
> > > >> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
> > > >>
> > > >> Squid Cache (Version 3.2.5): Terminated abnormally.
> > > >> CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum
> > > >> Resident
> > > Size:
> > > >> 50304 KB Page faults with physical i/o: 0 Memory usage for squid
> > > >> via
> > > >> mallinfo():
> > > >> total space in arena: 4784 KB
> > > >> Ordinary blocks: 4655 KB 8 blks
> > > >> Small blocks: 0 KB 0 blks
> > > >> Holding blocks: 7252 KB 6 blks
> > > >> Free Small blocks: 0 KB
> > > >> Free Ordinary blocks: 128 KB
> > > >> Total in use: 11907 KB 249%
> > > >> Total free: 128 KB 3%
> > > >>
> > > >> Full configure used in compile here:
> > > >> ./configure \
> > > >> --exec_prefix=/usr \
> > > >> --libexecdir=/usr/lib/squid \
> > > >> --includedir=/usr/include \
> > > >> --localstatedir=/var \
> > > >> --datadir=/usr/share/squid \
> > > >> --bindir=/usr/sbin \
> > > >> --sysconfdir=/etc/squid \
> > > >> --with-logdir='/var/log/squid' \
> > > >> --with-pidfile='/var/run/squid.pid' \
> > > >> --disable-dependency-tracking \
> > > >> --enable-arp-acl \
> > > >> --enable-follow-x-forwarded-for \
> > > >>
> > > >> --enable-auth-
> basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-
> > > domain-
> > > >> N
> > > >> TLM,SA
> > > >> SL,DB,POP3,squid_radius_auth" \
> > > >> --enable-auth-digest="password,ldap,eDirectory" \
> > > >> --enable-auth-ntlm="smb_lm,no_check,fakeauth" \
> > > >> --enable-auth-negotiate \
> > > >>
> > > >> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_gr
> > > >> ou
> > > >> p,
> > > >> w
> > > >> binfo_
> > > >> group" \
> > > >> --enable-cache-digests \
> > > >> --enable-cachemgr-hostname=localhost \
> > > >> --enable-delay-pools \
> > > >> --enable-epoll \
> > > >> --enable-icap-client \
> > > >> --enable-ident-lookups \
> > > >> --with-large-files \
> > > >> --enable-linux-netfilter \
> > > >> --enable-referer-log \
> > > >> --enable-removal-policies="heap,lru" \
> > > >> --enable-snmp \
> > > >> --enable-ssl \
> > > >> --enable-ssl-crtd \
> > > >> --enable-storeio="aufs,diskd,ufs" \
> > > >> --enable-useragent-log \
> > > >> --enable-wccpv2 \
> > > >> --enable-esi \
> > > >> --with-aio \
> > > >> --with-default-user="squid" \
> > > >> --with-filedescriptors=16384 \
> > > >> --with-dl \
> > > >> --with-openssl \
> > > >> --with-pthreads
> > > >>
> > > >> Relevant squid.conf settings:
> > > >>
> > > >> # Squid normally listens to port 3128 http_port 3128 ssl-bump
> > > >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > > >> cert=/etc/squid/squid.cer key=/etc/squid/squid.key
> > > >>
> > > >> # Squid SSL Certificate Daemon Options sslcrtd_program
> > > >> /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
> > > >> sslcrtd_children
> > > >> 5
> > > >>
> > > >> Thanks in advance!
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > -Ahmed Talha Khan
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > -Ahmed Talha Khan
Received on Mon Jan 21 2013 - 22:16:24 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 12:00:04 MST