Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Previous Topic Next Topic
classic Classic list List threaded Threaded
22 messages Options
Reply | Threaded
Open this post in threaded view

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Yuri Voinov

Everything happens once for the first time;)

12.09.2017 2:18, Rohit Sodhia пишет:
Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess I'll have to learn how to compile it myself; never compiled a package before.

On Mon, Sep 11, 2017 at 4:17 PM, Yuri <[hidden email]> wrote:

most probably something in repo's package. However, upgrade is always recommended, especially with modern functionality. It changes fast enough.

12.09.2017 2:15, Rohit Sodhia пишет:
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the problem?

On Mon, Sep 11, 2017 at 4:07 PM, Yuri <[hidden email]> wrote:

Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.

12.09.2017 2:05, Rohit Sodhia пишет:

I'll try to find it, but I read a few articles/SO questions that suggested there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be glad to go forward. Should I be removing the yum squid package and compile my own? Is 3.5 problematic besides being old?

On Mon, Sep 11, 2017 at 4:02 PM, Yuri <[hidden email]> wrote:

Wait. Squid 3.5.20? So ancient?

12.09.2017 1:58, Rohit Sodhia пишет:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.

On Mon, Sep 11, 2017 at 3:41 PM, Yuri <[hidden email]> wrote:

Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf

12.09.2017 1:23, Rohit Sodhia пишет:
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents were set to squid:squid and restarted the service, but I'm still getting the same error :(

On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <[hidden email]> wrote:
I'll try that immediately, thanks! I appreciate all your advice; hopefully I won't have to reach out again :p

On Mon, Sep 11, 2017 at 2:39 PM, Yuri <[hidden email]> wrote:

I'm not Linux fanboy, but modern squid never runs as root. So, most probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.

12.09.2017 0:36, Rohit Sodhia пишет:
Neither of those values are set in my config. Even though I'm not using squid for caching, I need those values? They aren't set in the default configs either.

On Mon, Sep 11, 2017 at 2:33 PM, Yuri <[hidden email]> wrote:

Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group values.

Then change SSL cache permissions to this values. Should work.

12.09.2017 0:30, Rohit Sodhia пишет:
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it up like that. I changed the owner and group to squid:squid and tried restarting squid, but still get the same errors. I thought to run the command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other permission issues?

On Mon, Sep 11, 2017 at 2:25 PM, Yuri <[hidden email]> wrote:

Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.

12.09.2017 0:23, Rohit Sodhia пишет:
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size

On Mon, Sep 11, 2017 at 2:22 PM, Yuri <[hidden email]> wrote:

Show output of

ls -al /var/lib/ssl_db

12.09.2017 0:21, Rohit Sodhia пишет:
Yes, but telling me it's crashing unfortunately doesn't help me figure out why or how to fix it. I've run the command it suggests but it doesn't help. I'm unfortunately not an ops guy familiar with this kind of stuff; I don't see anything on how to figure out what to do about it.

On Mon, Sep 11, 2017 at 2:17 PM, Yuri <[hidden email]> wrote:
It tells you what's happens.

11.09.2017 23:50, Rohit Sodhia пишет:
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

squid-users mailing list
[hidden email]

squid-users mailing list
[hidden email]

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view

Re: Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly

Amos Jeffries
Hi guys,

  You got so close but not quite.


* check your running Squid to see what user account it is using. You
should not need to configure the effective user explicitly (unless it is
that 'nobody' account - best prevent that account from playing with cert

* Remove the ssl_db directory you have that was not working and create
one fresh with write permissions to the Squid user *and* group. Note
that is the top level ssl_db directory only.

* run restorecon on the new directory. This is needed for the create to
work properly when SELinux is present.

* then run the ssl_crtd command _as the Squid user account_ ("su squid"
or "sudo -i -u squid").

* run restorecon *again* on the formatted directory structure. This is
needed for the normal Squid uses to work properly when SELinux is present.

That should be all that is needed to use this helper.

As for upgrades, yes it would be a good idea regardless of this issue.
3.5.20 was July 2016 release[1] and its best not to be more than a month
or two behind with ssl-bump things. Eliezers packages[2] should be okay
if you want to avoid compiling.

[1] <>
[2] <> this page was
badly out of date sorry, now updated.

squid-users mailing list
[hidden email]