I've been struggling with Squid 4.13 on Ubuntu 20.04 for about a week now.
My latest (and hopefully last) problem is this:
FATAL: No valid signing certificate configured for HTTPS_port
and this is my line that says so:
https_port 0.0.0.0:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/usr/local/squid/etc/dhparam.pem
I've been looking around everywhere (at least it feels so), and even squids own wiki (https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit) are vierd? because in the beginning they show how to do .pem files, but in the end of the document where they show the example line, they are talking about .crt and .key and a total different .pem file..
The only thing I changed, was raising the bits to 4096
So again, I'm lost!
Anybody know what they are talking about?
What's the right format and how to do it and ...Ahh! help?
Edit:
This is the "standard" configuration I'm using:
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access allow all
include /etc/squid/conf.d/*
https_port 0.0.0.0:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/usr/local/squid/etc/Root-ca-cert.pem cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/usr/local/squid/etc/dhparam.pem
The included configuration from /etc/squid/conf.d is a file called debian.conf:
#
# Squid configuration settings for Debian
#
# Logs are managed by logrotate on Debian
logfile_rotate 0
# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
#http_access allow localnet
as requested:
Aug 4 12:25:47 socks systemd[1]: Starting Squid Web Proxy Server...
Aug 4 12:25:52 socks squid[9474]: 2021/08/04 12:25:52| FATAL: No valid signing certificate configured for HTTPS_port 0.0.0.0:3128
Aug 4 12:25:52 socks squid: FATAL: No valid signing certificate configured for HTTPS_port 0.0.0.0:3128
Aug 4 12:25:52 socks squid[9474]: 2021/08/04 12:25:52| Squid Cache (Version 4.13): Terminated abnormally.
Aug 4 12:25:52 socks squid[9474]: CPU Usage: 5.132 seconds = 5.128 user + 0.004 sys
Aug 4 12:25:52 socks squid[9474]: Maximum Resident Size: 62224 KB
Aug 4 12:25:52 socks squid[9474]: Page faults with physical i/o: 0
Aug 4 12:25:52 socks systemd[1]: squid.service: Control process exited, code=exited, status=1/FAILURE
Aug 4 12:25:52 socks systemd[1]: squid.service: Failed with result 'exit-code'.
Aug 4 12:25:52 socks systemd[1]: Failed to start Squid Web Proxy Server.