FATAL: No valid signing SSL certificate configured for https_port

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

FATAL: No valid signing SSL certificate configured for https_port

John Gardner-2
I wonder if some of you can help me in figuring out an issue.  For the
last three years, we've had a Squid Reverse Proxy running on
Oracle Linux 5 (64 bit) with version 2.6 of Squid (which came with the
distro) and it's been a total success and never missed a beat.

Now, I realised that this version is getting old so I thought I would
install a more recent version and get some more features as well,
I installed the 32 bit version of Eliezer's 3.4.3 RPM and managed to
get everything back up an running successfully.  However, when
I was testing this environment I noticed that every so often in the
log I got a FATAL: Received Segment Violation...dying. message and
then
Squid just stopped responding. So, I then decided to build a version 6
version of Oracle Linux instance and then install the 64 bit 3.4.3 RPM
on it,
copying over all of the config and certficates.

Now I've got a new problem, although Squid now starts successfully
when I only put http_port into the squid.conf, when I add https_port
entries
I get the following message;

FATAL: No valid signing SSL certificate configured for https_port
10.x.x.95:443 and Squid terminates.

Does anyone know why I'm getting this issue?  Would it be because in
moving from OEL 5 to OEL 6 I've also moved from OpenSSL 0.98 to
OpenSSL 1.0
and the certificate formats are now different or is it something else?

All help greatly appreciated.

John
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

talikarni
Here is my entries for ssl-bump:

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

In many cases you will need to recreate the certificates as copying them
over does not always work, or are tied to that specific machine via
encryption.

Also it helps to set the proxy as different ports such as 3128 or 8080
instead of trying to use 80 and 443, as those are for server based
websites, not proxies, and generally causes more problems in the long
run. Most servers see an incoming connection to port 80 or 443 and tries
to respond via Apache.


Mike


On 6/29/2014 1:30 PM, John Gardner wrote:

> I wonder if some of you can help me in figuring out an issue.  For the
> last three years, we've had a Squid Reverse Proxy running on
> Oracle Linux 5 (64 bit) with version 2.6 of Squid (which came with the
> distro) and it's been a total success and never missed a beat.
>
> Now, I realised that this version is getting old so I thought I would
> install a more recent version and get some more features as well,
> I installed the 32 bit version of Eliezer's 3.4.3 RPM and managed to
> get everything back up an running successfully.  However, when
> I was testing this environment I noticed that every so often in the
> log I got a FATAL: Received Segment Violation...dying. message and
> then
> Squid just stopped responding. So, I then decided to build a version 6
> version of Oracle Linux instance and then install the 64 bit 3.4.3 RPM
> on it,
> copying over all of the config and certficates.
>
> Now I've got a new problem, although Squid now starts successfully
> when I only put http_port into the squid.conf, when I add https_port
> entries
> I get the following message;
>
> FATAL: No valid signing SSL certificate configured for https_port
> 10.x.x.95:443 and Squid terminates.
>
> Does anyone know why I'm getting this issue?  Would it be because in
> moving from OEL 5 to OEL 6 I've also moved from OpenSSL 0.98 to
> OpenSSL 1.0
> and the certificate formats are now different or is it something else?
>
> All help greatly appreciated.
>
> John
>

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
In reply to this post by John Gardner-2
On 06/29/2014 09:30 PM, John Gardner wrote:
> FATAL: No valid signing SSL certificate configured for https_port
> 10.x.x.95:443 and Squid terminates.

Can you share the relevant line from squid.conf?(replacing confidential
data)

(I am planning for the next release 3.4.6 to release a Oracle version of
the RPM but it will be only 6.5 compatible)

Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

John Gardner-2
Eliezer

The line that was working but is now causing problems is;


https_port 10.x.x.95:443 accel
cert=/usr/newrprgate/CertAuth/cert/cert.crt
key=/usr/newrprgate/CertAuth/cert/key.pem
cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
options=NO_SSLv2 defaultsite=server_1.uk

John

On 30 June 2014 12:06, John Gardner <[hidden email]> wrote:

> Eliezer
>
> The line that was working but is now causing problems is;
>
> https_port 10.x.x.95:443 accel
> cert=/usr/newrprgate/CertAuth/cert/cert.crt
> key=/usr/newrprgate/CertAuth/cert/key.pem
> cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> options=NO_SSLv2 defaultsite=server_1.uk
>
> On 30 June 2014 01:49, Eliezer Croitoru <[hidden email]> wrote:
>> On 06/29/2014 09:30 PM, John Gardner wrote:
>>>
>>> FATAL: No valid signing SSL certificate configured for https_port
>>> 10.x.x.95:443 and Squid terminates.
>>
>>
>> Can you share the relevant line from squid.conf?(replacing confidential
>> data)
>>
>> (I am planning for the next release 3.4.6 to release a Oracle version of the
>> RPM but it will be only 6.5 compatible)
>>
>> Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
I would say +1 for binary search..
Remove all specials and make it:
https_port 10.x.x.95:443 accel
cert=/usr/newrprgate/CertAuth/cert/cert.crt
key=/usr/newrprgate/CertAuth/cert/key.pem defaultsite=server_1.uk

Which will minimize it to a working settings which works on every linux
version with any openssl library I know of.

If it won't work I will verify that the certificates are in the right
format and if not convert them to the right format..

Else then that is to compile it from src on this or similar machine and
find out if you have the same issue with a self signed certificate.

I have not tested it yet on my build node but unless something is really
odd it should work with no issues.

Eliezer

On 06/30/2014 02:07 PM, John Gardner wrote:

> Eliezer
>
> The line that was working but is now causing problems is;
>
>
> https_port 10.x.x.95:443 accel
> cert=/usr/newrprgate/CertAuth/cert/cert.crt
> key=/usr/newrprgate/CertAuth/cert/key.pem
> cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> options=NO_SSLv2 defaultsite=server_1.uk
>
> John

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

John Gardner-2
Eliezer

I have now re-created the SSL certificates by creating the CSR,
sending the to the CA and getting the new certificate back.
Unfortunately, I'm still getting the same error;

2014/07/01 19:14:47| Startup: Initializing Authentication Schemes ...
2014/07/01 19:14:47| Startup: Initialized Authentication Scheme 'basic'
2014/07/01 19:14:47| Startup: Initialized Authentication Scheme 'digest'
2014/07/01 19:14:47| Startup: Initialized Authentication Scheme 'negotiate'
2014/07/01 19:14:47| Startup: Initialized Authentication Scheme 'ntlm'
2014/07/01 19:14:47| Startup: Initialized Authentication.
2014/07/01 19:14:47| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2014/07/01 19:14:47| Processing: hosts_file /etc/hosts
2014/07/01 19:14:47| Processing: http_port X.X.X.90:80 accel
defaultsite=domain.local
2014/07/01 19:14:47| Processing: http_port X.X.X.95:80 accel
defaultsite=server_1.bbbb.co.uk
2014/07/01 19:14:47| Processing: https_port X.X.X.95:443 accel
cert=/usr/newrprgate/CertAuth/www_domain_info/14735441.crt
key=/usr/newrprgate/CertAuth/www_domain_info/domain_info_key.pem
defaultsite=server_1.bbbb.co.uk
2014/07/01 19:14:47| Processing: cache_peer X.X.125.205 parent 8025 0
no-query originserver name=server_1
2014/07/01 19:14:47| Processing: acl sites_server_1 dstdomain www.domain.info
2014/07/01 19:14:47| Processing: cache_peer_access server_1 allow sites_server_1
2014/07/01 19:14:47| Processing: cache_peer_access server_1 deny all
2014/07/01 19:14:47| Processing: http_port X.X.X.96:80 accel
defaultsite=server_2.bbbb.co.uk
2014/07/01 19:14:47| Processing: cache_peer X.X.125.2X parent 8026 0
no-query originserver name=server_2_http
2014/07/01 19:14:47| Processing: cache_peer X.X.125.2X parent 8061 0
no-query originserver  ssl sslflags=DONT_VERIFY_PEER
name=server_2_https
2014/07/01 19:14:47| Processing: acl sites_server_2 dstdomain
www.domainhomes.org.uk
2014/07/01 19:14:47| Processing: cache_peer_access server_2_http allow
sites_server_2
2014/07/01 19:14:47| Processing: cache_peer_access server_2_https
allow sites_server_2
2014/07/01 19:14:47| Processing: cache_peer_access server_2_http deny all
2014/07/01 19:14:47| Processing: cache_peer_access server_2_https deny all
2014/07/01 19:14:47| Processing: http_port X.X.X.97:80 accel
defaultsite=server_3.bbbb.co.uk
2014/07/01 19:14:47| Processing: cache_peer X.X.125.205 parent 8025 0
no-query originserver name=server_3_http
2014/07/01 19:14:47| Processing: cache_peer X.X.125.205 parent 8061 0
no-query originserver ssl sslflags=DONT_VERIFY_PEER
name=server_3_https
2014/07/01 19:14:47| Processing: acl sites_server_3 dstdomain www.domain2.info
2014/07/01 19:14:47| Processing: cache_peer_access server_3_http allow
sites_server_3
2014/07/01 19:14:47| Processing: cache_peer_access server_3_https
allow sites_server_3
2014/07/01 19:14:47| Processing: cache_peer_access server_3_http deny all
2014/07/01 19:14:47| Processing: cache_peer_access server_3_https deny all
2014/07/01 19:14:47| Processing: acl localnet src X.0.0.0/8    # RFCX8
possible internal network
2014/07/01 19:14:47| Processing: acl localnet src 172.X.0.0/12 # RFCX8
possible internal network
2014/07/01 19:14:47| Processing: acl localnet src 192.X8.0.0/X
# RFCX8 possible internal network
2014/07/01 19:14:47| Processing: acl localnet src fc00::/7       # RFC
4193 local private network range
2014/07/01 19:14:47| aclIpParseIpData: IPv6 has not been enabled.
2014/07/01 19:14:47| Processing: acl localnet src fe80::/X      # RFC
4291 link-local (directly plugged) machines
2014/07/01 19:14:47| aclIpParseIpData: IPv6 has not been enabled.
2014/07/01 19:14:47| Processing: acl SSL_ports port 443
2014/07/01 19:14:47| Processing: acl Safe_ports port 80         # http
2014/07/01 19:14:47| Processing: acl Safe_ports port 21         # ftp
2014/07/01 19:14:47| Processing: acl Safe_ports port 443                # https
2014/07/01 19:14:47| Processing: acl Safe_ports port 70         # gopher
2014/07/01 19:14:47| Processing: acl Safe_ports port 2X                # wais
2014/07/01 19:14:47| Processing: acl Safe_ports port X25-65535 #
unregistered ports
2014/07/01 19:14:47| Processing: acl Safe_ports port 280
 # http-mgmt
2014/07/01 19:14:47| Processing: acl Safe_ports port 488
 # gss-http
2014/07/01 19:14:47| Processing: acl Safe_ports port 591
 # filemaker
2014/07/01 19:14:47| Processing: acl Safe_ports port 777
 # multiling http
2014/07/01 19:14:47| Processing: acl CONNECT method CONNECT
2014/07/01 19:14:47| Processing: http_access deny !Safe_ports
2014/07/01 19:14:47| Processing: http_access deny CONNECT !SSL_ports
2014/07/01 19:14:47| Processing: http_access allow localhost manager
2014/07/01 19:14:47| Processing: http_access deny manager
2014/07/01 19:14:47| Processing: acl all_internet src all
2014/07/01 19:14:47| Processing: http_access allow tte_network
2014/07/01 19:14:47| Processing: http_access allow ltdc_network
2014/07/01 19:14:47| Processing: http_access allow lldc_network
2014/07/01 19:14:47| Processing: http_access allow fot_network
2014/07/01 19:14:47| Processing: http_access allow sth_network
2014/07/01 19:14:47| Processing: http_access allow dmz_network
2014/07/01 19:14:47| Processing: http_access allow all_internet
2014/07/01 19:14:47| Processing: http_access allow localnet
2014/07/01 19:14:47| Processing: http_access allow localhost
2014/07/01 19:14:47| Processing: http_access deny all
2014/07/01 19:14:47| Processing: http_port 8080
2014/07/01 19:14:47| Processing: coredump_dir /var/spool/squid
2014/07/01 19:14:47| Processing: refresh_pattern ^ftp:          1440
 20%     X080
2014/07/01 19:14:47| Processing: refresh_pattern ^gopher:       1440
 0%      1440
2014/07/01 19:14:47| Processing: refresh_pattern -i (/cgi-bin/|\?) 0
 0%      0
2014/07/01 19:14:47| Processing: refresh_pattern .              0
 20%     4320
2014/07/01 19:14:47| Processing: access_log
stdio:/var/log/squid/access_common.log common
2014/07/01 19:14:47| Processing: httpd_suppress_version_string on
2014/07/01 19:14:47| Processing: visible_hostname host.bbbb.co.uk
2014/07/01 19:14:47| Initializing https proxy context
2014/07/01 19:14:47| Initializing cache_peer server_2_https SSL context
2014/07/01 19:14:47| Initializing cache_peer server_3_https SSL context
2014/07/01 19:14:47| Initializing https_port X.X.X.95:443 SSL context
2014/07/01 19:14:47| Using certificate in
/usr/newrprgate/CertAuth/www_domain_info/14735441.crt
2014/07/01 19:14:47| storeDirWriteCleanLogs: Starting...
2014/07/01 19:14:47|   Finished.  Wrote 0 entries.
2014/07/01 19:14:47|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for https_port X.X.X.95:443
Squid Cache (Version 3.4.3): Terminated abnormally.
CPU Usage: 0.064 seconds = 0.051 user + 0.013 sys
Maximum Resident Size: 32032 KB
Page faults with physical i/o: 0

I think I might try the Oracle 6.5 repo version Squid 3.1 RPM which
comes with the distro first, before I start compiling a new version of
Squid.

John




On 30 June 2014 12:14, Eliezer Croitoru <[hidden email]> wrote:

> I would say +1 for binary search..
> Remove all specials and make it:
>
> https_port 10.x.x.95:443 accel
> cert=/usr/newrprgate/CertAuth/cert/cert.crt
> key=/usr/newrprgate/CertAuth/cert/key.pem defaultsite=server_1.uk
>
> Which will minimize it to a working settings which works on every linux
> version with any openssl library I know of.
>
> If it won't work I will verify that the certificates are in the right format
> and if not convert them to the right format..
>
> Else then that is to compile it from src on this or similar machine and find
> out if you have the same issue with a self signed certificate.
>
> I have not tested it yet on my build node but unless something is really odd
> it should work with no issues.
>
> Eliezer
>
>
> On 06/30/2014 02:07 PM, John Gardner wrote:
>>
>> Eliezer
>>
>> The line that was working but is now causing problems is;
>>
>>
>> https_port 10.x.x.95:443 accel
>> cert=/usr/newrprgate/CertAuth/cert/cert.crt
>> key=/usr/newrprgate/CertAuth/cert/key.pem
>> cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
>> options=NO_SSLv2 defaultsite=server_1.uk
>>
>> John
>
>
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
What is the output of "squid -v" when using 3.4.3?
I am not sure what the issue is and I can test it with my own
certificate later on.

If you see that I have not tested it yet in the next week try to send me
an email to remind me that it was not verified yet.

Eliezer

On 07/01/2014 09:25 PM, John Gardner wrote:

> 2014/07/01 19:14:47| Initializing https_port X.X.X.95:443 SSL context
> 2014/07/01 19:14:47| Using certificate in
> /usr/newrprgate/CertAuth/www_domain_info/14735441.crt
> 2014/07/01 19:14:47| storeDirWriteCleanLogs: Starting...
> 2014/07/01 19:14:47|   Finished.  Wrote 0 entries.
> 2014/07/01 19:14:47|   Took 0.00 seconds (  0.00 entries/sec).
> FATAL: No valid signing SSL certificate configured for https_port X.X.X.95:443
> Squid Cache (Version 3.4.3): Terminated abnormally.
> CPU Usage: 0.064 seconds = 0.051 user + 0.013 sys
> Maximum Resident Size: 32032 KB
> Page faults with physical i/o: 0
>
> I think I might try the Oracle 6.5 repo version Squid 3.1 RPM which
> comes with the distro first, before I start compiling a new version of
> Squid.
>
> John

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
In reply to this post by John Gardner-2
On 07/01/2014 09:25 PM, John Gardner wrote:
> Eliezer
>
> I have now re-created the SSL certificates by creating the CSR,
> sending the to the CA and getting the new certificate back.
> Unfortunately, I'm still getting the same error;

I have just understood something:
I did not released oracle 3.4.3 RPM but a 3.4.5 so the "squid -v" should
be the first thing to verify.
Then the list of installed packages using:
"yum list installed"

Also just noticed..
Did you generated a PEM certificate from the CSR??

There a very detailed process describes at:
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

Which also helps to create a rootCA, CSR and then a certificate.
It will probably not be authorized by you browser but will be accepted
by squid.

The wiki page will give you all the details you should know about the
process by a quick look.

Try to follow the instructions to make sure that squid is working on not
working with some certificates.
I will try to provide later a certificate that works with my server(not
my real one...).

Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

John Gardner-2
Eliezer

Agggghhhh! I've just found the problem... SELinux.  Despite me
initially running setenforce Permissive, I must have forgotten to set
it on reboot.

I'm now running; the 3.4.5 RPM from here;
http://www1.ngtech.co.il/rpm/oracle/6/x86_64/

I apologise for wasting your time, it's now all running successfully.

Thanks

John

On 1 July 2014 20:26, Eliezer Croitoru <[hidden email]> wrote:

> On 07/01/2014 09:25 PM, John Gardner wrote:
>>
>> Eliezer
>>
>> I have now re-created the SSL certificates by creating the CSR,
>> sending the to the CA and getting the new certificate back.
>> Unfortunately, I'm still getting the same error;
>
>
> I have just understood something:
> I did not released oracle 3.4.3 RPM but a 3.4.5 so the "squid -v" should be
> the first thing to verify.
> Then the list of installed packages using:
> "yum list installed"
>
> Also just noticed..
> Did you generated a PEM certificate from the CSR??
>
> There a very detailed process describes at:
> http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
>
> Which also helps to create a rootCA, CSR and then a certificate.
> It will probably not be authorized by you browser but will be accepted by
> squid.
>
> The wiki page will give you all the details you should know about the
> process by a quick look.
>
> Try to follow the instructions to make sure that squid is working on not
> working with some certificates.
> I will try to provide later a certificate that works with my server(not my
> real one...).
>
> Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
In reply to this post by Eliezer Croitoru
OK,
I have tested a brand new 3.4.5 RPM that I have just built (not the one
that in the repo but from the same SRPM) and it works just fine.
1404244361.354      3 192.168.10.99 TCP_MISS/500 4054 GET
https://192.168.10.124:8443/favicon.ico - HIER_NONE/- text/html

To verify it against your settings:
https_port 8443 accel cert=/etc/squid/cloud.ngtech.co.il.crt
key=/etc/squid/cloud.ngtech.co.il.key
cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
options=NO_SSLv2 defaultsite=server_1.uk

You can download the public and private key at:
http://www1.ngtech.co.il/squid/cert.tar

it's not a valid certificate due to the expiration date but it was in
use until somewhere in 2013.
.. Stil runs.
My assumption is that instead of using a key and a certificate you are
using the CSR which is only the middle of the process to get a valid key.

All The Bests,
Eliezer

P.S. I am working on the 3.4.6 RPM for CentOS 6 and Oracle 6 and it will
be probably released next week.

On 07/01/2014 09:39 PM, Eliezer Croitoru wrote:
> What is the output of "squid -v" when using 3.4.3?
> I am not sure what the issue is and I can test it with my own
> certificate later on.
>
> If you see that I have not tested it yet in the next week try to send me
> an email to remind me that it was not verified yet.
>
> Eliezer

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
In reply to this post by John Gardner-2
It's ok.
But it shows one nasty thing:
squid doesn't shows a "permission denied" error\output that can redirect
us to the issue in hands and verify why..

This is a BUG to my opinion but I do not know (yet) how to look at it.
It states that an error accrue but it seems like a syntax error to me
rather then access error.

What do you think about the description of the bug?

Eliezer

On 07/01/2014 10:58 PM, John Gardner wrote:

> Eliezer
>
> Agggghhhh! I've just found the problem... SELinux.  Despite me
> initially running setenforce Permissive, I must have forgotten to set
> it on reboot.
>
> I'm now running; the 3.4.5 RPM from here;
> http://www1.ngtech.co.il/rpm/oracle/6/x86_64/
>
> I apologise for wasting your time, it's now all running successfully.
>
> Thanks
>
> John

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Amos Jeffries
Administrator
On 2014-07-02 08:59, Eliezer Croitoru wrote:
> It's ok.
> But it shows one nasty thing:
> squid doesn't shows a "permission denied" error\output that can
> redirect us to the issue in hands and verify why..
>
> This is a BUG to my opinion but I do not know (yet) how to look at it.
> It states that an error accrue but it seems like a syntax error to me
> rather then access error.

Unfortunately the details on errors available from OpenSSL are not
always very informative. If you could look into this Eliezer a patch
would be welcome, even if it just added some debugs lines suggesting
things to look at.

Amos

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Eliezer Croitoru
Hey Amos,

I was thinking about something in the past and I will try my best to
understand what can be done.
Basically from what I understand even a read is not possible due to
SELINUX by squid.
So by that: A simple file "open" for read test on the certificates or
even any other settings related files basic test can help to identify
issues.

What do you think about a basic "read"(and maybe a stat on the file for
debug) test for all the main files?
Compared to squid load this would be a piece of cake.

Specifically for the certificate is one thing since OpenSSL dosn't
provide too much.

A pointer to find where the certificate read happens will be helpful.


On 07/02/2014 12:06 PM, Amos Jeffries wrote:
>
> Unfortunately the details on errors available from OpenSSL are not
> always very informative. If you could look into this Eliezer a patch
> would be welcome, even if it just added some debugs lines suggesting
> things to look at.
I will try to find the debug lines about permission denied and reading
errors.

Eliezer

>
> Amos

Reply | Threaded
Open this post in threaded view
|

Re: FATAL: No valid signing SSL certificate configured for https_port

Amos Jeffries
Administrator
On 2014-07-03 06:16, Eliezer Croitoru wrote:

> Hey Amos,
>
> I was thinking about something in the past and I will try my best to
> understand what can be done.
> Basically from what I understand even a read is not possible due to
> SELINUX by squid.
> So by that: A simple file "open" for read test on the certificates or
> even any other settings related files basic test can help to identify
> issues.
>
> What do you think about a basic "read"(and maybe a stat on the file
> for debug) test for all the main files?
> Compared to squid load this would be a piece of cake.
>
> Specifically for the certificate is one thing since OpenSSL dosn't
> provide too much.
>
> A pointer to find where the certificate read happens will be helpful.

The cache.cf.cc function DoConfigure is the best place to start for that
check currently. It contains some for-loops initializing each http_port
and https_port entries SSL contexts. You may put the test directly in
those loops, or inside the SSL context setup function they call.

Amos