SSL reverse proxy cert error

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL reverse proxy cert error

Hariharan Sethuraman
Hi All,

I have my https_port 443 in reverse proxy. When client sends a GET request, the rewrite correctly rewrites the URL and that rewritten GET request fails with below error.
2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)

I dont where to add the trusted certificates, because I dont know where to specify the trusted certificates in /etc/ssl/certs directory.

I have two ways to support: 
1) I may have cache_peer parent proxy (next proxy to internet)
2) I dont need to give any parent proxy (because this host is connected to internet without next proxy)

Thanks,
Hari

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL reverse proxy cert error

Amos Jeffries
Administrator
On 5/09/18 4:05 PM, Hariharan Sethuraman wrote:

> Hi All,
>
> I have my https_port 443 in reverse proxy. When client sends a GET
> request, the rewrite correctly rewrites the URL and that rewritten GET
> request fails with below error.
> 2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:14007086:SSL
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
>
> I dont where to add the trusted certificates, because I dont know where
> to specify the trusted certificates in /etc/ssl/certs directory.
>
> I have two ways to support: 
> 1) I may have cache_peer parent proxy (next proxy to internet)

For reverse-proxy the peer should be (or be towards) the origin. Not
towards the public Internet.

Use the cache_peer tls-ca= option to tell Squid which specific CA that
peer/origin is supposed to be using.


> 2) I dont need to give any parent proxy (because this host is connected
> to internet without next proxy)

For connections directly to the Internet (which reverse-proxy cannot
make without being forced) the global "Trusted CA" are used by default,
there is nothing to be done in that regard.

You can choose to disable them with:

  tls_outgoing_options default-ca=off


If you need to make Squid trust a specific CA which is not one of the
global trusted set (eg private for your use, or self-signed) then use:

  tls_outgoing_options cafile=/path/to/ca.pem


You can also combine the above settings so only a few global CA which
you actually trust get loaded. The cafile= option can be repeated in
Squid-4 to load multiple CA details.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users