Score:0

Squid! FATAL: No valid signing certificate configured for HTTPS_port

ng flag

I've been struggling with Squid 4.13 on Ubuntu 20.04 for about a week now.

My latest (and hopefully last) problem is this:

FATAL: No valid signing certificate configured for HTTPS_port

and this is my line that says so:

https_port 0.0.0.0:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/usr/local/squid/etc/dhparam.pem

I've been looking around everywhere (at least it feels so), and even squids own wiki (https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit) are vierd? because in the beginning they show how to do .pem files, but in the end of the document where they show the example line, they are talking about .crt and .key and a total different .pem file..

The only thing I changed, was raising the bits to 4096

So again, I'm lost! Anybody know what they are talking about? What's the right format and how to do it and ...Ahh! help?

Edit: This is the "standard" configuration I'm using:

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access allow all

include /etc/squid/conf.d/*
https_port 0.0.0.0:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/usr/local/squid/etc/Root-ca-cert.pem  cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/usr/local/squid/etc/dhparam.pem

The included configuration from /etc/squid/conf.d is a file called debian.conf:

#
# Squid configuration settings for Debian
#

# Logs are managed by logrotate on Debian
logfile_rotate 0

# For extra security Debian packages only allow
# localhost to use the proxy on new installs
#
#http_access allow localnet

as requested:

Aug  4 12:25:47 socks systemd[1]: Starting Squid Web Proxy Server...
Aug  4 12:25:52 socks squid[9474]: 2021/08/04 12:25:52| FATAL: No valid signing certificate configured for HTTPS_port 0.0.0.0:3128
Aug  4 12:25:52 socks squid: FATAL: No valid signing certificate configured for HTTPS_port 0.0.0.0:3128
Aug  4 12:25:52 socks squid[9474]: 2021/08/04 12:25:52| Squid Cache (Version 4.13): Terminated abnormally.
Aug  4 12:25:52 socks squid[9474]: CPU Usage: 5.132 seconds = 5.128 user + 0.004 sys
Aug  4 12:25:52 socks squid[9474]: Maximum Resident Size: 62224 KB
Aug  4 12:25:52 socks squid[9474]: Page faults with physical i/o: 0
Aug  4 12:25:52 socks systemd[1]: squid.service: Control process exited, code=exited, status=1/FAILURE
Aug  4 12:25:52 socks systemd[1]: squid.service: Failed with result 'exit-code'.
Aug  4 12:25:52 socks systemd[1]: Failed to start Squid Web Proxy Server.
Michael Hampton avatar
cz flag
You showed a configuration for https_port, but that is not what it complained about. What did you configure for HTTPS_port?
JoBe avatar
ng flag
now I'm completely lost, that's the only port I have configured in squid.conf, are there more @Michael_Hampton ?
JoBe avatar
ng flag
He, just what I did, should have done it at the beginning
Michael Hampton avatar
cz flag
Something doesn't make sense here. You posted an error about HTTPS_port but you don't seem to have that anywhere in your configuration. What is going on here?
Michael Hampton avatar
cz flag
I've been going through the docs and I can't find anything about HTTPS_port; this doesn't seem to be valid at all. Are you sure this is actually the error you received? Now I suspect it is not. Please **copy and paste** the **complete** error message.
JoBe avatar
ng flag
I was collecting the log, I started to wonder why a test from a Russian page worked, so I changed the certificate to their specs, and it was 2k certs, and those worked, now I had a theory that squid couldn't handle 4k, and replaces mine with 2k, and now did I work. so I tested to replace those 2k certs with 4k's, one at a time, and suddenly it accepted those new 4k's, so apparently the error message was 100%correct, something must have been corrupt with the original 4k's, but of course a new issue arose: 192.168.0.2 TCP_DENIED_ABORTED/200 0 CONNECT 192.168.3.9:3130 - HIER_NONE/- - access.log
JoBe avatar
ng flag
..I've also attached requested log
Michael Hampton avatar
cz flag
Well that's very strange. I guess I will have to blame Squid for the confusion between HTTPS_port and https_port. I can't understand why they would do that; it just wastes time while people try to figure out what's going on. It also seems to be recent; older versions of squid correctly reported an error on https_port, not HTTPS_port.
Score:0
ng flag

Part of the solution was an ID 10 T issue, apparently the certificate was faulty, even thou tests said it was fine, but upon creating a new certificate it worked.

The later issue that arose about loop, was identified here: https://unix.stackexchange.com/questions/664236/squid-proxy-is-eating-up-its-own-resources-and-other-issues

and a new question layout was posted here: https://unix.stackexchange.com/questions/664669/squid-caught-in-loop-cert-error

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.