Just one thing I noticed: "clientca" is not the CA which issued your "cert" (sklad.duckdns.org) - it's the CA to be used when doing client-side authentication, which I'm not sure if you're doing.
Dio On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii <samurai.no.d...@gmail.com> wrote: > > > Please give more details for "fails". > > > > Is the following your entire squid.conf (except for comments)? > > > > Have you tried getting SSL access to Squid working before introducing > > authentication? > > > > What are you trying, to test this, and what are the results? > > > > > > Regards, > > > > > > Antony. > First I would like to apologize for previous incomplete mail. > I got interrupted and accidentally sent it out before being complete. > > Squid fails to start for me with: > FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443 > I have found that this is related to missing self signed certificate, > and since I do not want to use self signed certificate I am asking if I > can do anything about it. > I would like to avoid self signed certificates so my users would not > need to import and replace my own certs. > > > And here is my complete squid.conf: > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 901 # SWAT > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access deny to_localhost > > auth_param basic program /usr/libexec/squid/basic_pam_auth > auth_param basic children 5 > auth_param basic realm Proxy Authentication Required > auth_param basic credentialsttl 2 hours > > acl authenticated proxy_auth REQUIRED > http_access allow authenticated > http_access deny all > > https_port 8443 \ > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \ > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \ > clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \ > tls-dh=/etc/ssl/certs/dhparam.pem \ > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \ > cipher=HIGH > cache_dir aufs /var/cache/squid 512 16 256 > coredump_dir /var/cache/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > One more apology for escaped mail. > S > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- -------- Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
