Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
I've been trying to setup a Squid box to bump SSL requests via the tutorial on the Squid site and https://stackoverflow.com/questions/34398484/can-i-use-squid-to-upgrade-client-tls-connections

Unfortunately, when I run it, I get the following errors in my squid logs:

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.031 seconds = 0.026 user + 0.005 sys
Maximum Resident Size: 71792 KB
Page faults with physical i/o: 0
2017/09/11 12:42:19 kid1| Current Directory is /
2017/09/11 12:42:19 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/09/11 12:42:19 kid1| Service Name: squid
2017/09/11 12:42:19 kid1| Process ID 1711
2017/09/11 12:42:19 kid1| Process Roles: worker
2017/09/11 12:42:19 kid1| With 16384 file descriptors available
2017/09/11 12:42:19 kid1| Initializing IP Cache...
2017/09/11 12:42:19 kid1| DNS Socket created at [::], FD 6
2017/09/11 12:42:19 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/09/11 12:42:19 kid1| Adding domain marvel.nyc.ent from /etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.21.20.200 from /etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.21.20.201 from /etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.20.102.201 from /etc/resolv.conf
2017/09/11 12:42:19 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
2017/09/11 12:42:19 kid1| Logfile: opening log stdio:/var/log/squid/access.log
2017/09/11 12:42:19 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/09/11 12:42:19 kid1| Store logging disabled
2017/09/11 12:42:19 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/09/11 12:42:19 kid1| Target number of buckets: 1008
2017/09/11 12:42:19 kid1| Using 8192 Store buckets
2017/09/11 12:42:19 kid1| Max Mem  size: 262144 KB
2017/09/11 12:42:19 kid1| Max Swap size: 0 KB
2017/09/11 12:42:19 kid1| Using Least Load store dir selection
2017/09/11 12:42:19 kid1| Current Directory is /
2017/09/11 12:42:19 kid1| Finished loading MIME types and icons.
2017/09/11 12:42:19 kid1| HTCP Disabled.
2017/09/11 12:42:19 kid1| Squid plugin modules loaded: 0
2017/09/11 12:42:19 kid1| Adaptation support is off.
2017/09/11 12:42:19 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9
2017/09/11 12:42:19 kid1| WARNING: ssl_crtd #Hlpr1 exited
2017/09/11 12:42:19 kid1| Too few ssl_crtd processes are running (need 1/32)
2017/09/11 12:42:19 kid1| Closing HTTP port [::]:3128
2017/09/11 12:42:19 kid1| storeDirWriteCleanLogs: Starting...
2017/09/11 12:42:19 kid1|   Finished.  Wrote 0 entries.
2017/09/11 12:42:19 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

I ran the ssl_crtd command, though that didn't help. From google, it seems other people have had this error, but I can't find a solution and hope someone may be able to advise me.

Thank you for any assistance.
Rohit Sodhia

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users







_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users








_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users









_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users










_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users











_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users












_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users













_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users














_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:
I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the problem?

On Mon, Sep 11, 2017 at 4:07 PM, Yuri <[hidden email]> wrote:

Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:

I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov
Hardly,

most probably something in repo's package. However, upgrade is always recommended, especially with modern functionality. It changes fast enough.

12.09.2017 2:15, Rohit Sodhia пишет:
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the problem?

On Mon, Sep 11, 2017 at 4:07 PM, Yuri <[hidden email]> wrote:

Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:

I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Rohit Sodhia
Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess I'll have to learn how to compile it myself; never compiled a package before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri <[hidden email]> wrote:
Hardly,

most probably something in repo's package. However, upgrade is always recommended, especially with modern functionality. It changes fast enough.

12.09.2017 2:15, Rohit Sodhia пишет:
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the problem?

On Mon, Sep 11, 2017 at 4:07 PM, Yuri <[hidden email]> wrote:

Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:

I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?


12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf


12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.


12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.


12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.


12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size


On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db


12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.


11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




















_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
12