Re: squid-users Digest, Vol 31, Issue 9

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid-users Digest, Vol 31, Issue 9

stylemessiah
Are you creating the database as root or the squid user.....try as the squid user

On 3 March 2017 at 08:46, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are
      crashing too rapidly, need help! (Yuri Voinov)


----------------------------------------------------------------------

Message: 1
Date: Fri, 3 Mar 2017 03:46:10 +0600
From: Yuri Voinov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd
        helpers are crashing too rapidly, need help!
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

This problem, in principle, is common to all versions of ssl-bumped
Squid from version 3.4 and 5.0, inclusive, and occurs when the stored
certificate is damaged for any reason. The only thing vorkeraund that I
could find - a monitor kesh.log and initialize the certificate database
again with squid restart automatically.

In some installations, this problem does not occur over the years. In
other - almost daily. I have no desire to find out why this is happening
exactly. For me it was easier to make the watchdog, which will follow up
on this.

03.03.2017 3:40, Yuri Voinov пишет:
>
> One hint finally:
>
> '([^ ]*) helper database ([^ ]*) failed: The SSL certificate database
> ([^ ]*) is corrupted. Please rebuild' - - - 0    exec
> "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
> 'FATAL: ([^ ]*) helpers are crashing too rapidly, need help!' - - -
> 0    exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
> 'Cannot add certificate to db.' - - - 0        exec
> "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
>
> PS. This is from logsurfer.conf.
>
>
> 03.03.2017 3:34, Yuri Voinov пишет:
>>
>> This error is usually preceded by another error in cache.log
>> associated with the certificates.
>>
>> I will show you the direction. Then go himself.
>>
>> This software will useful for you to solve:
>>
>> http://www.crypt.gen.nz/logsurfer/
>>
>> HTH, Yuri
>>
>>
>> 03.03.2017 2:47, --Ahmad-- пишет:
>>> hey folks .
>>> i have a problem with squid it get crashed after i enabled https !
>>> cache log error => FATAL: The ssl_crtd helpers are crashing too
>>> rapidly, need help!
>>>
>>> i googled many topics and relevant pages and couldnt find a
>>> clear solution .
>>>
>>> the quick solution i made was i  removed the certs in file :
>>> *rm -rfv /var/lib/ssl_db/*
>>> *
>>> *
>>> *then reinitiated the DB using cmd below :*
>>> /lib/squid/ssl_crtd -c -s /var/lib/ssl_db
>>> chown -R squid.squid /var/lib/ssl_db
>>> chown-R squid.squid /var/lib/ssl_db
>>>
>>> the restarted squid .
>>>
>>> but this is not a solution becuase squid get crashed again after
>>> certain time and i don’t know why !
>>> my version is 3.5.2
>>>
>>> here is squid.conf :
>>>  /etc/squid/squid.conf
>>> visible_hostname pcloud
>>> acl ip1 myip 10.1.0.1
>>> acl ip2 myip 192.168.10.210
>>> tcp_outgoing_address 192.168.10.210 ip1
>>> tcp_outgoing_address 192.168.10.210 ip2
>>> #
>>> # Recommended minimum configuration:
>>> #
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt to list your (internal) IP networks from where browsing
>>> # should be allowed
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>>> plugged) machines
>>>
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> #
>>> # Recommended minimum Access Permission configuration:
>>> #
>>> # Deny requests to certain unsafe ports
>>> http_access deny !Safe_ports
>>>
>>> # Deny CONNECT to other than secure SSL ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow  CONNECT
>>> # Only allow cachemgr access from localhost
>>> http_access allow localhost manager
>>> http_access deny manager
>>>
>>> # We strongly recommend the following be uncommented to protect innocent

>>> # web applications running on the proxy server who think the only
>>> # one who can access services on "localhost" is a local user
>>> #http_access deny to_localhost
>>>
>>> #
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>> #
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt localnet in the ACL section to list your (internal) IP networks
>>> # from where browsing should be allowed
>>> http_access allow localnet
>>> http_access allow localhost
>>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>> # Squid normally listens to port 3128
>>> http_port 3128
>>>
>>> # Uncomment and adjust the following to add a disk cache directory.
>>> #cache_dir ufs /var/cache/squid 100 16 256
>>>
>>> # Leave coredumps in the first cache dir
>>> #coredump_dir /var/cache/squid
>>>
>>> #
>>> # Add any of your own refresh_pattern entries above these.
>>> #
>>> #
>>>
>>> http_port 3126
>>> #http_port 3128
>>> #######################################
>>> #cache_swap_low 90
>>> #cache_swap_high 95
>>> ############################
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> memory_replacement_policy lru
>>> cache_replacement_policy heap LFUDA
>>> ########################
>>> maximum_object_size 10000 MB
>>> #cache_mem 5000 MB
>>> maximum_object_size_in_memory 10 MB
>>> #########################
>>> logfile_rotate 2
>>> max_filedescriptors 131072
>>> ###############################
>>> ############
>>> cache_dir aufs /var/cache/squid 600000 64 128
>>> #######################################
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/usr/local/squid/ssl_cert/myca.pem
>>> key=/usr/local/squid/ssl_cert/myca.pem
>>> ssl_bump server-first all
>>> sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>> sslcrtd_children 1000 startup=1 idle=1
>>> ###
>>> minimum_object_size 0 bytes
>>> #refresh patterns for caching static files
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
>>> override-expire ignore-no-cache ignore-no-store ignore-private
>>> refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
>>> 90% 432000 override-expire ignore-no-cache ignore-no-store
>>> ignore-private
>>> refresh_pattern -i
>>> .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
>>> override-expire ignore-no-cache ignore-no-store ignore-private
>>> refresh_pattern -i .index.(html|htm)$ 0 40% 10080
>>> refresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320
>>> refresh_pattern . 0 40% 40320
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> any Joy Guys ?
>>>
>>> should i update squid ? or downgrade squid ?
>>>
>>> kind regards
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> --
>> Bugs to the Future
>
> --
> Bugs to the Future

--
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.sig>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 9
******************************************



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid-users Digest, Vol 31, Issue 9

Yuri Voinov



03.03.2017 10:24, Adrian Miller пишет:
Are you creating the database as root or the squid user.....try as the squid user
It will not work when created as root. Will be permission denied. crtd runs as squid, not as root.

On 3 March 2017 at 08:46, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: squid 3.5.2==> HTTPS FATAL: The ssl_crtd helpers are
      crashing too rapidly, need help! (Yuri Voinov)


----------------------------------------------------------------------

Message: 1
Date: Fri, 3 Mar 2017 03:46:10 +0600
From: Yuri Voinov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] squid 3.5.2==> HTTPS FATAL: The ssl_crtd
        helpers are crashing too rapidly, need help!
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

This problem, in principle, is common to all versions of ssl-bumped
Squid from version 3.4 and 5.0, inclusive, and occurs when the stored
certificate is damaged for any reason. The only thing vorkeraund that I
could find - a monitor kesh.log and initialize the certificate database
again with squid restart automatically.

In some installations, this problem does not occur over the years. In
other - almost daily. I have no desire to find out why this is happening
exactly. For me it was easier to make the watchdog, which will follow up
on this.

03.03.2017 3:40, Yuri Voinov пишет:
>
> One hint finally:
>
> '([^ ]*) helper database ([^ ]*) failed: The SSL certificate database
> ([^ ]*) is corrupted. Please rebuild' - - - 0    exec
> "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
> 'FATAL: ([^ ]*) helpers are crashing too rapidly, need help!' - - -
> 0    exec "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
> 'Cannot add certificate to db.' - - - 0        exec
> "/usr/local/bin/crtd_create.sh -r >/dev/null 2>&1"
>
> PS. This is from logsurfer.conf.
>
>
> 03.03.2017 3:34, Yuri Voinov пишет:
>>
>> This error is usually preceded by another error in cache.log
>> associated with the certificates.
>>
>> I will show you the direction. Then go himself.
>>
>> This software will useful for you to solve:
>>
>> http://www.crypt.gen.nz/logsurfer/
>>
>> HTH, Yuri
>>
>>
>> 03.03.2017 2:47, --Ahmad-- пишет:
>>> hey folks .
>>> i have a problem with squid it get crashed after i enabled https !
>>> cache log error => FATAL: The ssl_crtd helpers are crashing too
>>> rapidly, need help!
>>>
>>> i googled many topics and relevant pages and couldnt find a
>>> clear solution .
>>>
>>> the quick solution i made was i  removed the certs in file :
>>> *rm -rfv /var/lib/ssl_db/*
>>> *
>>> *
>>> *then reinitiated the DB using cmd below :*
>>> /lib/squid/ssl_crtd -c -s /var/lib/ssl_db
>>> chown -R squid.squid /var/lib/ssl_db
>>> chown-R squid.squid /var/lib/ssl_db
>>>
>>> the restarted squid .
>>>
>>> but this is not a solution becuase squid get crashed again after
>>> certain time and i don’t know why !
>>> my version is 3.5.2
>>>
>>> here is squid.conf :
>>>  /etc/squid/squid.conf
>>> visible_hostname pcloud
>>> acl ip1 myip 10.1.0.1
>>> acl ip2 myip 192.168.10.210
>>> tcp_outgoing_address 192.168.10.210 ip1
>>> tcp_outgoing_address 192.168.10.210 ip2
>>> #
>>> # Recommended minimum configuration:
>>> #
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt to list your (internal) IP networks from where browsing
>>> # should be allowed
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>>> plugged) machines
>>>
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> #
>>> # Recommended minimum Access Permission configuration:
>>> #
>>> # Deny requests to certain unsafe ports
>>> http_access deny !Safe_ports
>>>
>>> # Deny CONNECT to other than secure SSL ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow  CONNECT
>>> # Only allow cachemgr access from localhost
>>> http_access allow localhost manager
>>> http_access deny manager
>>>
>>> # We strongly recommend the following be uncommented to protect innocent

>>> # web applications running on the proxy server who think the only
>>> # one who can access services on "localhost" is a local user
>>> #http_access deny to_localhost
>>>
>>> #
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>> #
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt localnet in the ACL section to list your (internal) IP networks
>>> # from where browsing should be allowed
>>> http_access allow localnet
>>> http_access allow localhost
>>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>> # Squid normally listens to port 3128
>>> http_port 3128
>>>
>>> # Uncomment and adjust the following to add a disk cache directory.
>>> #cache_dir ufs /var/cache/squid 100 16 256
>>>
>>> # Leave coredumps in the first cache dir
>>> #coredump_dir /var/cache/squid
>>>
>>> #
>>> # Add any of your own refresh_pattern entries above these.
>>> #
>>> #
>>>
>>> http_port 3126
>>> #http_port 3128
>>> #######################################
>>> #cache_swap_low 90
>>> #cache_swap_high 95
>>> ############################
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> memory_replacement_policy lru
>>> cache_replacement_policy heap LFUDA
>>> ########################
>>> maximum_object_size 10000 MB
>>> #cache_mem 5000 MB
>>> maximum_object_size_in_memory 10 MB
>>> #########################
>>> logfile_rotate 2
>>> max_filedescriptors 131072
>>> ###############################
>>> ############
>>> cache_dir aufs /var/cache/squid 600000 64 128
>>> #######################################
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB
>>> cert=/usr/local/squid/ssl_cert/myca.pem
>>> key=/usr/local/squid/ssl_cert/myca.pem
>>> ssl_bump server-first all
>>> sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>> sslcrtd_children 1000 startup=1 idle=1
>>> ###
>>> minimum_object_size 0 bytes
>>> #refresh patterns for caching static files
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
>>> override-expire ignore-no-cache ignore-no-store ignore-private
>>> refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
>>> 90% 432000 override-expire ignore-no-cache ignore-no-store
>>> ignore-private
>>> refresh_pattern -i
>>> .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
>>> override-expire ignore-no-cache ignore-no-store ignore-private
>>> refresh_pattern -i .index.(html|htm)$ 0 40% 10080
>>> refresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320
>>> refresh_pattern . 0 40% 40320
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> any Joy Guys ?
>>>
>>> should i update squid ? or downgrade squid ?
>>>
>>> kind regards
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> --
>> Bugs to the Future
>
> --
> Bugs to the Future

--
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170303/f5499462/attachment.sig>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 9
******************************************



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Loading...