Everything happens once for the first time;)
12.09.2017 2:18, Rohit Sodhia пишет: > Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so > guess I'll have to learn how to compile it myself; never compiled a > package before. > > On Mon, Sep 11, 2017 at 4:17 PM, Yuri <yvoi...@gmail.com > <mailto:yvoi...@gmail.com>> wrote: > > Hardly, > > most probably something in repo's package. However, upgrade is > always recommended, especially with modern functionality. It > changes fast enough. > > 12.09.2017 2:15, Rohit Sodhia пишет: >> Ah. I'm on 3.5.20; not sure how far back that is. Is that the >> core of the problem? >> >> On Mon, Sep 11, 2017 at 4:07 PM, Yuri <yvoi...@gmail.com >> <mailto:yvoi...@gmail.com>> wrote: >> >> Seems latest 4.0.21 is good enough. Most critical SSL-related >> bugs almost closed or closed. >> >> At least latest 3.5.27 is released. AFAIK this is minimum to >> problem-free running. >> >> Repositories software sometimes has strange quirks, or >> sometimes rancid. >> >> 12.09.2017 2:05, Rohit Sodhia пишет: >> >>> I'll try to find it, but I read a few articles/SO questions >>> that suggested there were bugs in 4 relating to SSL bumping? >>> If they were wrong, I'd be glad to go forward. Should I be >>> removing the yum squid package and compile my own? Is 3.5 >>> problematic besides being old? >>> >>> On Mon, Sep 11, 2017 at 4:02 PM, Yuri <yvoi...@gmail.com >>> <mailto:yvoi...@gmail.com>> wrote: >>> >>> Wait. Squid 3.5.20? So ancient? >>> >>> >>> 12.09.2017 1:58, Rohit Sodhia пишет: >>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s >>>> /var/lib/ssl_db -M 4MB >>>> >>>> I used the line from the Stack Overflow question I >>>> linked earlier. >>>> >>>> On Mon, Sep 11, 2017 at 3:41 PM, Yuri >>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> wrote: >>>> >>>> Well. Let's check more deep. >>>> >>>> Show me parameter sslcrtd_program in your squid.conf >>>> >>>> >>>> 12.09.2017 1:23, Rohit Sodhia пишет: >>>>> Unfortunately, no luck yet. Thank you again for >>>>> your help before. >>>>> >>>>> I found that the user squid and group squid >>>>> existed already, so I added >>>>> >>>>> cache_effective_user squid >>>>> cache_effective_group squid >>>>> >>>>> to my config (first two lines), made sure >>>>> /var/lib/ssl_db and it's contents were set to >>>>> squid:squid and restarted the service, but I'm >>>>> still getting the same error :( >>>>> >>>>> On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia >>>>> <sodhia.ro...@gmail.com >>>>> <mailto:sodhia.ro...@gmail.com>> wrote: >>>>> >>>>> I'll try that immediately, thanks! I >>>>> appreciate all your advice; hopefully I won't >>>>> have to reach out again :p >>>>> >>>>> On Mon, Sep 11, 2017 at 2:39 PM, Yuri >>>>> <yvoi...@gmail.com <mailto:yvoi...@gmail.com>> >>>>> wrote: >>>>> >>>>> I'm not Linux fanboy, but modern squid >>>>> never runs as root. So, most probably it >>>>> runs as nobody user. >>>>> >>>>> Ah, yes: >>>>> >>>>> # TAG: cache_effective_user >>>>> # If you start Squid as root, it will >>>>> change its effective/real >>>>> # UID/GID to the user specified below. >>>>> The default is to change >>>>> # to UID of nobody. >>>>> # see also; cache_effective_group >>>>> #Default: >>>>> # cache_effective_user nobody >>>>> >>>>> # TAG: cache_effective_group >>>>> # Squid sets the GID to the effective >>>>> user's default group ID >>>>> # (taken from the password file) and >>>>> supplementary group list >>>>> # from the groups membership. >>>>> # >>>>> # If you want Squid to run with a >>>>> specific GID regardless of >>>>> # the group memberships of the >>>>> effective user then set this >>>>> # to the group (or GID) you want Squid >>>>> to run as. When set >>>>> # all other group privileges of the >>>>> effective user are ignored >>>>> # and only this GID is effective. If >>>>> Squid is not started as >>>>> # root the user starting Squid MUST be >>>>> member of the specified >>>>> # group. >>>>> # >>>>> # This option is not recommended by the >>>>> Squid Team. >>>>> # Our preference is for administrators >>>>> to configure a secure >>>>> # user account for squid with UID/GID >>>>> matching system policies. >>>>> #Default: >>>>> # Use system group memberships of the >>>>> cache_effective_user account >>>>> >>>>> As documented. :) >>>>> >>>>> AFAIK best solution is create >>>>> non-privileged group & user (like >>>>> squid/squid) and set both this parameters >>>>> explicity. >>>>> >>>>> Then change owner recursively on SSL cache >>>>> to this user. >>>>> >>>>> >>>>> 12.09.2017 0:36, Rohit Sodhia пишет: >>>>>> Neither of those values are set in my >>>>>> config. Even though I'm not using squid >>>>>> for caching, I need those values? They >>>>>> aren't set in the default configs either. >>>>>> >>>>>> On Mon, Sep 11, 2017 at 2:33 PM, Yuri >>>>>> <yvoi...@gmail.com >>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>> >>>>>> Most probably you squid runs as >>>>>> another user than squid. >>>>>> >>>>>> Check your squid.conf for >>>>>> cache_effective_user and >>>>>> cache_effective_group values. >>>>>> >>>>>> Then change SSL cache permissions to >>>>>> this values. Should work. >>>>>> >>>>>> >>>>>> 12.09.2017 0:30, Rohit Sodhia пишет: >>>>>>> Thanks for the feedback! I just used >>>>>>> yum (it's a CentOS 7 VB) and it set >>>>>>> it up like that. I changed the owner >>>>>>> and group to squid:squid and tried >>>>>>> restarting squid, but still get the >>>>>>> same errors. I thought to run the >>>>>>> command again, but this time it says >>>>>>> >>>>>>> /usr/lib64/squid/ssl_crtd: Cannot >>>>>>> create /var/lib/ssl_db >>>>>>> >>>>>>> If this folder has incorrect >>>>>>> permissions are there possibly other >>>>>>> permission issues? >>>>>>> >>>>>>> On Mon, Sep 11, 2017 at 2:25 PM, >>>>>>> Yuri <yvoi...@gmail.com >>>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>>> >>>>>>> Here you root of problem. >>>>>>> >>>>>>> Should be (on my setups): >>>>>>> >>>>>>> # ls -al /var/lib/ssl_db >>>>>>> total 326 >>>>>>> drwxr-xr-x 3 squid squid 5 >>>>>>> Sep 5 00:53 . >>>>>>> drwxr-xr-x 8 root other 8 >>>>>>> Sep 5 00:53 .. >>>>>>> drwxr-xr-x 2 squid squid 454 >>>>>>> Sep 11 23:37 certs >>>>>>> -rw-r--r-- 1 squid squid 280575 >>>>>>> Sep 11 23:37 index.txt >>>>>>> -rw-r--r-- 1 squid squid 7 >>>>>>> Sep 11 23:37 size >>>>>>> >>>>>>> I.e. Squid has no access to SSL >>>>>>> cache dir structures. >>>>>>> >>>>>>> >>>>>>> 12.09.2017 0:23, Rohit Sodhia пишет: >>>>>>>> total 8 >>>>>>>> drwxr-xr-x. 3 root root 48 >>>>>>>> Sep 11 12:42 . >>>>>>>> drwxr-xr-x. 32 root root 4096 >>>>>>>> Sep 11 12:42 .. >>>>>>>> drwxr-xr-x. 2 root root 6 >>>>>>>> Sep 11 12:42 certs >>>>>>>> -rw-r--r--. 1 root root 0 >>>>>>>> Sep 11 12:42 index.txt >>>>>>>> -rw-r--r--. 1 root root 1 >>>>>>>> Sep 11 12:42 size >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 11, 2017 at 2:22 >>>>>>>> PM, Yuri <yvoi...@gmail.com >>>>>>>> <mailto:yvoi...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Show output of >>>>>>>> >>>>>>>> ls -al /var/lib/ssl_db >>>>>>>> >>>>>>>> >>>>>>>> 12.09.2017 0:21, Rohit >>>>>>>> Sodhia пишет: >>>>>>>>> Yes, but telling me it's >>>>>>>>> crashing unfortunately >>>>>>>>> doesn't help me figure out >>>>>>>>> why or how to fix it. I've >>>>>>>>> run the command it >>>>>>>>> suggests but it doesn't >>>>>>>>> help. I'm unfortunately >>>>>>>>> not an ops guy familiar >>>>>>>>> with this kind of stuff; I >>>>>>>>> don't see anything on how >>>>>>>>> to figure out what to do >>>>>>>>> about it. >>>>>>>>> >>>>>>>>> On Mon, Sep 11, 2017 at >>>>>>>>> 2:17 PM, Yuri >>>>>>>>> <yvoi...@gmail.com >>>>>>>>> <mailto:yvoi...@gmail.com>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> It tells you what's >>>>>>>>> happens. >>>>>>>>> >>>>>>>>> >>>>>>>>> 11.09.2017 23:50, >>>>>>>>> Rohit Sodhia пишет: >>>>>>>>> > (ssl_crtd): >>>>>>>>> Uninitialized SSL >>>>>>>>> certificate database >>>>>>>>> directory: >>>>>>>>> > /var/lib/ssl_db. To >>>>>>>>> initialize, run >>>>>>>>> "ssl_crtd -c -s >>>>>>>>> /var/lib/ssl_db". >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> squid-users mailing list >>>>>>>>> >>>>>>>>> squid-users@lists.squid-cache.org >>>>>>>>> >>>>>>>>> <mailto:squid-users@lists.squid-cache.org> >>>>>>>>> >>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>>> >>>>>>>>> <http://lists.squid-cache.org/listinfo/squid-users> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
