TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

L. A. Walsh
Got an error message from squid where I'm doing https-bumping:

--------------------------
The following error was encountered while trying to retrieve the URL:
https://help.ea.com/

    *Failed to establish a secure connection to 52.0.220.87*

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known:
    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
    Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the
remote host does not support secure connections, or the proxy is not
satisfied with the host security credentials.

--------------------------------

Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced
in parallel chains).  The two certs looked like:

-----BEGIN CERTIFICATE-----
...hexstuff==
-----END CERTIFICATE-----


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov


08.09.2017 3:14, L A Walsh пишет:

> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
>    *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>    (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>    SSL Certficate error: certificate issuer (CA) not known:
>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>    Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains).  The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
Yup :)

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

>
> Looking for a clue... ;-)
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?highlight=%28Ssl%29%7C%28Bump%29%7C%28explicit%29#Missing_intermediate_certificates

>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov
In reply to this post by L. A. Walsh
Ooooops,

miss end of message :)

Check all CA's chain. It is possible your root CA's bundle not complete.

I usually use root CA's from Mozilla (added to squid.conf as one file)
and own self-supported intermediate CA's list (file).

But in addition I'm using Squid 5.x with working cert's downloader ;)


08.09.2017 3:14, L A Walsh пишет:

> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
>    *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>    (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>    SSL Certficate error: certificate issuer (CA) not known:
>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>    Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced
> in parallel chains).  The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
>
> Looking for a clue... ;-)
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov
Also. Symantec's root's can be already removed from most bundles (you
should hear about it, is it?).

So. May be can be required to add Symantec's root(s) manually to proxy
root CA bundle.


08.09.2017 3:24, Yuri пишет:

> Ooooops,
>
> miss end of message :)
>
> Check all CA's chain. It is possible your root CA's bundle not complete.
>
> I usually use root CA's from Mozilla (added to squid.conf as one file)
> and own self-supported intermediate CA's list (file).
>
> But in addition I'm using Squid 5.x with working cert's downloader ;)
>
>
> 08.09.2017 3:14, L A Walsh пишет:
>> Got an error message from squid where I'm doing https-bumping:
>>
>> --------------------------
>> The following error was encountered while trying to retrieve the URL:
>> https://help.ea.com/
>>
>>    *Failed to establish a secure connection to 52.0.220.87*
>>
>> The system returned:
>>
>>    (71) Protocol error (TLS code:
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>
>>    SSL Certficate error: certificate issuer (CA) not known:
>>    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>>    Class 3 Secure Server CA - G4
>>
>> This proxy and the remote host failed to negotiate a mutually
>> acceptable security settings for handling your request. It is possible
>> that the remote host does not support secure connections, or the proxy
>> is not satisfied with the host security credentials.
>>
>> --------------------------------
>>
>> Googling found:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>>
>>
>> Used openssl.com to get the intermediate certs (2 hosts are referenced
>> in parallel chains).  The two certs looked like:
>>
>> -----BEGIN CERTIFICATE-----
>> ...hexstuff==
>> -----END CERTIFICATE-----
>>
>>
>> Added the certs to a file and that filename to my squid.conf on a line:
>>
>> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>>
>> restarted squid, but am still getting same error.
>>
>> Am I missing some obvious step?
>>
>> Looking for a clue... ;-)
>>
>> Thanks!
>> -l
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Rafael Akchurin
In reply to this post by L. A. Walsh
Hello LA, Yuri,

The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented:

---
Symantec Class 3 Secure Server CA - G4
Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
RSA 2048 bits (e 65537) / SHA256withRSA
---

Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site.

Our UI generates exactly the same config setting as you have tried:
sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem

So it must be working :)

Best regards,
Rafael Akchurin
Diladele B.V.



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of L A Walsh
Sent: Thursday, September 7, 2017 11:15 PM
To: [hidden email]
Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Got an error message from squid where I'm doing https-bumping:

--------------------------
The following error was encountered while trying to retrieve the URL:
https://help.ea.com/

    *Failed to establish a secure connection to 52.0.220.87*

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known:
    /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
    Class 3 Secure Server CA - G4

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

--------------------------------

Googling found:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html

Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains).  The two certs looked like:

-----BEGIN CERTIFICATE-----
...hexstuff==
-----END CERTIFICATE-----


Added the certs to a file and that filename to my squid.conf on a line:

sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem

restarted squid, but am still getting same error.

Am I missing some obvious step?

Looking for a clue... ;-)

Thanks!
-l






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov
Hi, Raf. Just checking on two my servers - works like charm without any
movings :) I'm already have good intermediate CA's bundle :)


08.09.2017 3:42, Rafael Akchurin пишет:

> Hello LA, Yuri,
>
> The server analysis at https://www.ssllabs.com/ssltest/analyze.html?d=help.ea.com&s=52.0.220.87&latest shows the certificate chain presented by the remote server is indeed incomplete, specifically the following certificate is not presented:
>
> ---
> Symantec Class 3 Secure Server CA - G4
> Fingerprint SHA256: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
> Pin SHA256: 9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=
> RSA 2048 bits (e 65537) / SHA256withRSA
> ---
>
> Adding it to the intermediate certificate file as indicated on https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html#way-1-add-missing-certificate-to-squid-web-safety-5-1-recommended and reloading Squid 3.5.23 allows to successfully see and bump the site.
>
> Our UI generates exactly the same config setting as you have tried:
> sslproxy_foreign_intermediate_certs /opt/websafety/etc/squid/foreign_intermediate_certs.pem
>
> So it must be working :)
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of L A Walsh
> Sent: Thursday, September 7, 2017 11:15 PM
> To: [hidden email]
> Subject: [squid-users] TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?
>
> Got an error message from squid where I'm doing https-bumping:
>
> --------------------------
> The following error was encountered while trying to retrieve the URL:
> https://help.ea.com/
>
>     *Failed to establish a secure connection to 52.0.220.87*
>
> The system returned:
>
>     (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
>     /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>     Class 3 Secure Server CA - G4
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
>
> --------------------------------
>
> Googling found:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Howto-fix-X509-V-ERR-UNABLE-TO-GET-ISSUER-CERT-LOCALLY-Squid-error-td4682015.html
>
> Used openssl.com to get the intermediate certs (2 hosts are referenced in parallel chains).  The two certs looked like:
>
> -----BEGIN CERTIFICATE-----
> ...hexstuff==
> -----END CERTIFICATE-----
>
>
> Added the certs to a file and that filename to my squid.conf on a line:
>
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_intermediates/cert.pem
>
> restarted squid, but am still getting same error.
>
> Am I missing some obvious step?
>
> Looking for a clue... ;-)
>
> Thanks!
> -l
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

L. A. Walsh
In reply to this post by Yuri Voinov
Yuri wrote:
> Ooooops,
>
> miss end of message :)
>  
---
    I did search first! ;^)



> Check all CA's chain. It is possible your root CA's bundle not complete.
>  
---
    Likely problem...


> I usually use root CA's from Mozilla (added to squid.conf as one file)
> and own self-supported intermediate CA's list (file).
>  
----
How often do they update?  I.e. should I set up a cron job to download
and concatenate the CA's?  Is there a preferred D/L URL?





> But in addition I'm using Squid 5.x with working cert's downloader ;)
>  
----
:^/  --- hmmm.... and I'm not even running 4.x... *ouch*...

Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
or is it 4.x=beta and 5.x=devel?


Tnx!
-l



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov


08.09.2017 3:46, L A Walsh пишет:

> Yuri wrote:
>> Ooooops,
>>
>> miss end of message :)
>>  
> ---
>    I did search first! ;^)
>
>
>
>> Check all CA's chain. It is possible your root CA's bundle not complete.
>>  
> ---
>    Likely problem...
>
>
>> I usually use root CA's from Mozilla (added to squid.conf as one file)
>> and own self-supported intermediate CA's list (file).
>>  
> ----
> How often do they update?  I.e. should I set up a cron job to download
> and concatenate the CA's?  Is there a preferred D/L URL?
I added to cron once per month update. Script (specific to my setups) to
update and reconfigure squid.
I use this URL:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

>
>
>
>
>
>> But in addition I'm using Squid 5.x with working cert's downloader ;)
>>  
> ----
> :^/  --- hmmm.... and I'm not even running 4.x... *ouch*...
>
> Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
> or is it 4.x=beta and 5.x=devel?
>
>
> Tnx!
> -l
>
>
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov


08.09.2017 3:49, Yuri пишет:

>
> 08.09.2017 3:46, L A Walsh пишет:
>> Yuri wrote:
>>> Ooooops,
>>>
>>> miss end of message :)
>>>  
>> ---
>>    I did search first! ;^)
>>
>>
>>
>>> Check all CA's chain. It is possible your root CA's bundle not complete.
>>>  
>> ---
>>    Likely problem...
>>
>>
>>> I usually use root CA's from Mozilla (added to squid.conf as one file)
>>> and own self-supported intermediate CA's list (file).
>>>  
>> ----
>> How often do they update?  I.e. should I set up a cron job to download
>> and concatenate the CA's?  Is there a preferred D/L URL?
> I added to cron once per month update. Script (specific to my setups) to
> update and reconfigure squid.
> I use this URL:
> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>
>>
>>
>>
>>
>>> But in addition I'm using Squid 5.x with working cert's downloader ;)
>>>  
>> ----
>> :^/  --- hmmm.... and I'm not even running 4.x... *ouch*...
3.5.26 (last known) works with relatively complete intermediates and
with some manually added root CA's.
>>
>> Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
>> or is it 4.x=beta and 5.x=devel?
AFAIK it's not planning to backport it to 3.x, can't say about current
4.x. A bit long time migrated to development 5.x. Due to required features.
>>
>>
>> Tnx!
>> -l
>>
>>
>>
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Amos Jeffries
Administrator
On 08/09/17 09:52, Yuri wrote:

>
>
> 08.09.2017 3:49, Yuri пишет:
>>
>> 08.09.2017 3:46, L A Walsh пишет:
>>> Yuri wrote:
>>>
>>>
>>>> But in addition I'm using Squid 5.x with working cert's downloader ;)
>>>>    
>>> ----
>>> :^/  --- hmmm.... and I'm not even running 4.x... *ouch*...
> 3.5.26 (last known) works with relatively complete intermediates and
> with some manually added root CA's.
>>>
>>> Is that going to be backported to 3.x?  Isn't 4.x the beta/devel version,
>>> or is it 4.x=beta and 5.x=devel?
> AFAIK it's not planning to backport it to 3.x, can't say about current
> 4.x. A bit long time migrated to development 5.x. Due to required features.

Should be working in v4 (beta) now.

And yes, no plans for backport to v3.5 - it is big code change.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

L. A. Walsh
In reply to this post by Yuri Voinov
Yuri wrote:

>>> Check all CA's chain. It is possible your root CA's bundle not complete.
>>>  
>> ---
>>    Likely problem...


Fixed as per URL:


> I use this URL:
> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

and working now...

Thanks!
Linda
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS: 1st time w/intermediate cert: not working; ideas on what I'm doing wrong?

Yuri Voinov
You r welcome ;)


08.09.2017 5:25, L A Walsh пишет:

> Yuri wrote:
>
>>>> Check all CA's chain. It is possible your root CA's bundle not
>>>> complete.
>>>>  
>>> ---
>>>    Likely problem...
>
>
> Fixed as per URL:
>
>
>> I use this URL:
>> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>
> and working now...
>
> Thanks!
> Linda


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment