Well. Let's check more deep. Show me parameter sslcrtd_program in your squid.conf
12.09.2017 1:23, Rohit Sodhia пишет: > Unfortunately, no luck yet. Thank you again for your help before. > > I found that the user squid and group squid existed already, so I added > > cache_effective_user squid > cache_effective_group squid > > to my config (first two lines), made sure /var/lib/ssl_db and it's > contents were set to squid:squid and restarted the service, but I'm > still getting the same error :( > > On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia <sodhia.ro...@gmail.com > <mailto:sodhia.ro...@gmail.com>> wrote: > > I'll try that immediately, thanks! I appreciate all your advice; > hopefully I won't have to reach out again :p > > On Mon, Sep 11, 2017 at 2:39 PM, Yuri <yvoi...@gmail.com > <mailto:yvoi...@gmail.com>> wrote: > > I'm not Linux fanboy, but modern squid never runs as root. So, > most probably it runs as nobody user. > > Ah, yes: > > # TAG: cache_effective_user > # If you start Squid as root, it will change its effective/real > # UID/GID to the user specified below. The default is to > change > # to UID of nobody. > # see also; cache_effective_group > #Default: > # cache_effective_user nobody > > # TAG: cache_effective_group > # Squid sets the GID to the effective user's default group ID > # (taken from the password file) and supplementary group list > # from the groups membership. > # > # If you want Squid to run with a specific GID regardless of > # the group memberships of the effective user then set this > # to the group (or GID) you want Squid to run as. When set > # all other group privileges of the effective user are ignored > # and only this GID is effective. If Squid is not started as > # root the user starting Squid MUST be member of the specified > # group. > # > # This option is not recommended by the Squid Team. > # Our preference is for administrators to configure a secure > # user account for squid with UID/GID matching system policies. > #Default: > # Use system group memberships of the cache_effective_user account > > As documented. :) > > AFAIK best solution is create non-privileged group & user > (like squid/squid) and set both this parameters explicity. > > Then change owner recursively on SSL cache to this user. > > > 12.09.2017 0:36, Rohit Sodhia пишет: >> Neither of those values are set in my config. Even though I'm >> not using squid for caching, I need those values? They aren't >> set in the default configs either. >> >> On Mon, Sep 11, 2017 at 2:33 PM, Yuri <yvoi...@gmail.com >> <mailto:yvoi...@gmail.com>> wrote: >> >> Most probably you squid runs as another user than squid. >> >> Check your squid.conf for cache_effective_user and >> cache_effective_group values. >> >> Then change SSL cache permissions to this values. Should >> work. >> >> >> 12.09.2017 0:30, Rohit Sodhia пишет: >>> Thanks for the feedback! I just used yum (it's a CentOS >>> 7 VB) and it set it up like that. I changed the owner >>> and group to squid:squid and tried restarting squid, but >>> still get the same errors. I thought to run the command >>> again, but this time it says >>> >>> /usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db >>> >>> If this folder has incorrect permissions are there >>> possibly other permission issues? >>> >>> On Mon, Sep 11, 2017 at 2:25 PM, Yuri <yvoi...@gmail.com >>> <mailto:yvoi...@gmail.com>> wrote: >>> >>> Here you root of problem. >>> >>> Should be (on my setups): >>> >>> # ls -al /var/lib/ssl_db >>> total 326 >>> drwxr-xr-x 3 squid squid 5 Sep 5 00:53 . >>> drwxr-xr-x 8 root other 8 Sep 5 00:53 .. >>> drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs >>> -rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt >>> -rw-r--r-- 1 squid squid 7 Sep 11 23:37 size >>> >>> I.e. Squid has no access to SSL cache dir structures. >>> >>> >>> 12.09.2017 0:23, Rohit Sodhia пишет: >>>> total 8 >>>> drwxr-xr-x. 3 root root 48 Sep 11 12:42 . >>>> drwxr-xr-x. 32 root root 4096 Sep 11 12:42 .. >>>> drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs >>>> -rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt >>>> -rw-r--r--. 1 root root 1 Sep 11 12:42 size >>>> >>>> >>>> On Mon, Sep 11, 2017 at 2:22 PM, Yuri >>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> wrote: >>>> >>>> Show output of >>>> >>>> ls -al /var/lib/ssl_db >>>> >>>> >>>> 12.09.2017 0:21, Rohit Sodhia пишет: >>>>> Yes, but telling me it's crashing >>>>> unfortunately doesn't help me figure out why >>>>> or how to fix it. I've run the command it >>>>> suggests but it doesn't help. I'm >>>>> unfortunately not an ops guy familiar with >>>>> this kind of stuff; I don't see anything on >>>>> how to figure out what to do about it. >>>>> >>>>> On Mon, Sep 11, 2017 at 2:17 PM, Yuri >>>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> >>>>> wrote: >>>>> >>>>> It tells you what's happens. >>>>> >>>>> >>>>> 11.09.2017 23:50, Rohit Sodhia пишет: >>>>> > (ssl_crtd): Uninitialized SSL >>>>> certificate database directory: >>>>> > /var/lib/ssl_db. To initialize, run >>>>> "ssl_crtd -c -s /var/lib/ssl_db". >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> squid-users mailing list >>>>> squid-users@lists.squid-cache.org >>>>> <mailto:squid-users@lists.squid-cache.org> >>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>> >>>>> <http://lists.squid-cache.org/listinfo/squid-users> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
