Cert download from AIA information succeeds yet Squid reports ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Cert download from AIA information succeeds yet Squid reports ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Ahmad, Sarfaraz

Hi,

 

I have setup Squid as a SSL MITM proxy.

I am also using the cert download feature with these configurations in my squid.conf

 

acl cert_fetch transaction_initiator certificate-fetching

http_access allow cert_fetch

 

Websites where certificates just share AIA information using CA-issuer method, those work just fine.

 

But try this one, https://community.verizonwireless.com/welcome (this gets bumped in my setup)

Here the AIA information Is provided using both OCSP/CAissuer methods.

From Squid’s access logs, I can tell that the certificate gets downloaded.

 

1526964147.929    160 - TCP_MISS/200 1868 GET http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46 application/x-x509-ca-cert

 

But squid still reports:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2

 

That is the only intermediate certificate needed in the chain.  Here: https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest

 

When I download the intermediate certificate locally and try connecting to the remote server using openssl –Cafile option, Openssl reports OK (0).

 

openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile vpssg142.crt –servername community.verizon.com

>>     Verify return code: 0 (ok)

 

Regards,

Sarfaraz

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Cert download from AIA information succeeds yet Squid reports ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Alex Rousskov
On 05/21/2018 10:59 PM, Ahmad, Sarfaraz wrote:

> Websites where certificates just share AIA information using CA-issuer
> method, those work just fine.
>
>  
>
> But try this one, https://community.verizonwireless.com/welcome (this
> gets bumped in my setup)
>
> Here the AIA information Is provided using both OCSP/CAissuer methods.
>
> From Squid’s access logs, I can tell that the certificate gets downloaded.
>
>  
>
> 1526964147.929    160 - TCP_MISS/200 1868 GET
> http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46
> application/x-x509-ca-cert
>
>  
>
> But squid still reports*:*
>
> *(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> *SSL Certficate error: certificate issuer (CA) not known:
> /C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2
>
> * *
>
> That is the only intermediate certificate needed in the chain.  Here:
> https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest
>
>  
>
> When I download the intermediate certificate locally and try connecting
> to the remote server using openssl –Cafile option, Openssl reports OK (0).
>
>  
>
> openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile
> vpssg142.crt –servername community.verizon.com
>
>>>     Verify return code: 0 (ok)


Nice triage! I do not know what went wrong, unfortunately. If you do not
find a solution on the mailing list, I recommend posting a bug report.
If possible, attach compressed partial cache.log (with debug_options set
to ALL,9) collected while reproducing the above problem without any
other transactions. This log might speed up resolution by exposing the
problem without the need to reproduce it locally.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users