Uninitialized SSL certificate database directory

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Uninitialized SSL certificate database directory

Maximiliano Santa Cruz

Hello everybody.

I've been struggling with this error:

(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

I've tried a lot of workarounds from this mailing list but none of them worked for me, these are the permissions that I have:

[root@localhost admin]#  /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

[root@localhost admin]# ll /var/lib/ssl_db
total 4
drwxr-xr-x. 2 squid squid 6 Aug 27 15:06 certs
-rw-r--r--. 1 squid squid 0 Aug 27 15:06 index.txt
-rw-r--r--. 1 squid squid 1 Aug 27 15:06 size

I get the error when:

[root@localhost admin]# systemctl restart squid

Then I tried:

[root@localhost admin]# chmod -R a+w /var/lib/ssl_db
[root@localhost admin]# ll /var/lib/ssl_db
total 4
drwxrwxrwx. 2 squid squid 6 Aug 27 15:06 certs
-rw-rw-rw-. 1 squid squid 0 Aug 27 15:06 index.txt
-rw-rw-rw-. 1 squid squid 1 Aug 27 15:06 size

Same error.

OS: CentOS 7
[root@localhost admin]# squid -v
Squid Cache: Version 3.5.27
Service Name: squid

Thanks.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Uninitialized SSL certificate database directory

Amos Jeffries
Administrator
On 28/08/18 7:13 AM, Maximiliano Santa Cruz wrote:

>
> Hello everybody.
>
> I've been struggling with this error:
>
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
>
> I've tried a lot of workarounds from this mailing list but none of them
> worked for me, these are the permissions that I have:
>
> [root@localhost admin]#  /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
>
> [root@localhost admin]# ll /var/lib/ssl_db
> total 4
> drwxr-xr-x. 2 squid squid 6 Aug 27 15:06 certs
> -rw-r--r--. 1 squid squid 0 Aug 27 15:06 index.txt
> -rw-r--r--. 1 squid squid 1 Aug 27 15:06 size
>

Have you updated SELinux permissions after creating or changing the
directory?

 test -x /sbin/restorecon && restorecon /var/lib/ssl_db


>
> OS: CentOS 7
> [root@localhost admin]# squid -v
> Squid Cache: Version 3.5.27
> Service Name: squid
>

Missing the configure options which will say what --with-default-user=
was set to. That account needs to match the one with rights to the
directory - it may not be "squid".


Also, please update to Squid-4. It has much better support for SSL-Bump
features than squid-3.x. Eliezer has packages available


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Uninitialized SSL certificate database directory

Maximiliano Santa Cruz
Thanks for your answer, here's the output after the upgrade:

[root@localhost ssl_cert]# squid -v
Squid Cache: Version 4.1
Service Name: squid

'--with-default-user=squid' 

Error:

[root@localhost ssl_cert]# /usr/lib64/squid/security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
Initialization SSL db...
/usr/lib64/squid/security_file_certgen: Cannot create /usr/local/squid/var/cache/squid/ssl_db

From the cache.log:

2018/08/28 09:00:36 kid1| Set Current Directory to /var/spool/squid
(security_file_certgen): Uninitialized SSL certificate database directory: /usr/local/squid/var/cache/squid/ssl_db. To initialize, run "security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db".
...
2018/08/28 09:00:37 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 17 flags=41
2018/08/28 09:00:37 kid1| WARNING: /usr/lib64/squid/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB #Hlpr1 exited
2018/08/28 09:00:37 kid1| Too few /usr/lib64/squid/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB processes are running (need 1/8)


Permissions:

drwxrwxrwx. 2 squid squid 6 Aug 28 08:45 ssl_db
drwxrwxrwx. 3 squid squid 20 Aug 28 08:45 squid
drwxrwxrwx. 3 squid squid 19 Aug 28 08:45 cache
drwxrwxrwx. 3 squid squid 19 Aug 28 08:45 var
drwxrwxrwx. 3 squid squid 17 Aug 28 08:45 squid

Status:

[root@localhost /]# systemctl status squid
● squid.service - Squid Web Proxy Server
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2018-08-28 09:00:37 EDT; 2min 5s ago
     Docs: man:squid(8)
  Process: 4993 ExecStop=/usr/sbin/squidshut.sh (code=exited, status=255)

It doesn't matter if I create /squid with squid.squid user.group permissions with rwx, the error is always the same.

I'm downloading https://www.pfsense.org, will try from there. Also attached the squid.conf just in case.

Regards.

El mar., 28 ago. 2018 a las 8:28, Amos Jeffries (<[hidden email]>) escribió:
On 28/08/18 7:13 AM, Maximiliano Santa Cruz wrote:
>
> Hello everybody.
>
> I've been struggling with this error:
>
> (ssl_crtd): Uninitialized SSL certificate database directory:
> /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
>
> I've tried a lot of workarounds from this mailing list but none of them
> worked for me, these are the permissions that I have:
>
> [root@localhost admin]#  /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
>
> [root@localhost admin]# ll /var/lib/ssl_db
> total 4
> drwxr-xr-x. 2 squid squid 6 Aug 27 15:06 certs
> -rw-r--r--. 1 squid squid 0 Aug 27 15:06 index.txt
> -rw-r--r--. 1 squid squid 1 Aug 27 15:06 size
>

Have you updated SELinux permissions after creating or changing the
directory?

 test -x /sbin/restorecon && restorecon /var/lib/ssl_db


>
> OS: CentOS 7
> [root@localhost admin]# squid -v
> Squid Cache: Version 3.5.27
> Service Name: squid
>

Missing the configure options which will say what --with-default-user=
was set to. That account needs to match the one with rights to the
directory - it may not be "squid".


Also, please update to Squid-4. It has much better support for SSL-Bump
features than squid-3.x. Eliezer has packages available


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid.conf (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Uninitialized SSL certificate database directory

Amos Jeffries
Administrator
On 29/08/18 1:08 AM, Maximiliano Santa Cruz wrote:

> Thanks for your answer, here's the output after the upgrade:
>
> [root@localhost ssl_cert]# squid -v
> Squid Cache: Version 4.1
> Service Name: squid
>
> '--with-default-user=squid' 
>
> Error:
>
> [root@localhost ssl_cert]# /usr/lib64/squid/security_file_certgen -c -s
> /usr/local/squid/var/cache/squid/ssl_db -M 4MB
> Initialization SSL db...
> /usr/lib64/squid/security_file_certgen: Cannot create
> /usr/local/squid/var/cache/squid/ssl_db
>
...
> Permissions:
>
> drwxrwxrwx. 2 squid squid 6 Aug 28 08:45 ssl_db

Aha. This directory cannot be created because it already exists.

Run these:

 rm -rf /usr/local/squid/var/cache/squid/ssl_db

 su squid

 /usr/lib64/squid/security_file_certgen -c \
   -s /usr/local/squid/var/cache/squid/ssl_db \
   -M 4MB


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users