Hi, the setup is exactly what you suggested but still the ERROR shows up. Here the startup sequence about context creation:
2019/04/05 06:29:48.050| Initializing https:// proxy context 2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf950 created from id SBuf110 2019/04/05 06:29:48.050| 24,8| Tokenizer.cc(174) skip: skipping char '1' 2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes 2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1 2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf951 created from id SBuf950 2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf951 destructed 2019/04/05 06:29:48.050| 24,8| Tokenizer.cc(174) skip: skipping char '.' 2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes 2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1 2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf952 created from id SBuf950 2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf952 destructed 2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf953 created from id SBuf950 2019/04/05 06:29:48.050| 24,5| Tokenizer.cc(25) consume: consuming 1 bytes 2019/04/05 06:29:48.050| 24,8| SBuf.cc(497) consume: SBuf950 consume 1 2019/04/05 06:29:48.050| 24,8| SBuf.cc(38) SBuf: SBuf954 created from id SBuf950 2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf954 destructed 2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf953 destructed 2019/04/05 06:29:48.050| 24,8| SBuf.cc(70) ~SBuf: SBuf950 destructed 2019/04/05 06:29:48.051| 83,9| support.cc(586) InitClientContext: Setting certificate verification callback. 2019/04/05 06:29:48.051| 83,8| PeerOptions.cc(647) updateContextCa: Setting CA certificate locations. 2019/04/05 06:29:48.051| 83,8| PeerOptions.cc(630) loadSystemTrustedCa: Setting default system Trusted CA. ctx=0x55dcadedcd20 2019/04/05 06:29:48.052| 24,8| SBuf.cc(30) SBuf: SBuf955 created 2019/04/05 06:29:48.052| 24,7| SBuf.cc(85) assign: assigning SBuf955 from SBuf118 2019/04/05 06:29:48.052| 24,8| SBuf.cc(38) SBuf: SBuf956 created from id SBuf955 2019/04/05 06:29:48.053| 24,8| SBuf.cc(70) ~SBuf: SBuf956 destructed 2019/04/05 06:29:48.053| 24,8| SBuf.cc(70) ~SBuf: SBuf955 destructed 2019/04/05 06:29:48.053| Initializing http_port 0.0.0.0:3128 TLS contexts 2019/04/05 06:29:48.053| Using certificate in /etc/squid/squidCA.pem 2019/04/05 06:29:48.053| 24,7| SBuf.cc(160) rawSpace: reserving 1 for SBuf217 2019/04/05 06:29:48.053| 24,7| SBuf.cc(167) rawSpace: SBuf217 not growing 2019/04/05 06:29:48.053| 24,7| SBuf.cc(160) rawSpace: reserving 1 for SBuf217 2019/04/05 06:29:48.053| 24,8| SBuf.cc(886) cow: SBuf217 new size:23 2019/04/05 06:29:48.053| 24,8| SBuf.cc(857) reAlloc: SBuf217 new size: 23 2019/04/05 06:29:48.054| 24,9| MemBlob.cc(56) MemBlob: constructed, this=0x55dcadedd7c0 id=blob1225 reserveSize=23 2019/04/05 06:29:48.054| 24,8| MemBlob.cc(101) memAlloc: blob1225 memAlloc: requested=23, received=40 2019/04/05 06:29:48.054| 24,7| SBuf.cc(865) reAlloc: SBuf217 new store capacity: 40 2019/04/05 06:29:48.054| 83,3| KeyData.cc(105) loadX509ChainFromFile: Using certificate chain in /etc/squid/squidCA.pem 2019/04/05 06:29:48.054| 83,3| KeyData.cc(123) loadX509ChainFromFile: Adding issuer CA: /CN=nobody 2019/04/05 06:29:48.054| Using key in /etc/squid/squidCA.pem 2019/04/05 06:29:48.054| 24,7| SBuf.cc(160) rawSpace: reserving 1 for SBuf218 2019/04/05 06:29:48.054| 24,8| SBuf.cc(886) cow: SBuf218 new size:23 2019/04/05 06:29:48.054| 24,8| SBuf.cc(857) reAlloc: SBuf218 new size: 23 2019/04/05 06:29:48.054| 24,9| MemBlob.cc(56) MemBlob: constructed, this=0x55dcadef07f0 id=blob1226 reserveSize=23 2019/04/05 06:29:48.054| 24,8| MemBlob.cc(101) memAlloc: blob1226 memAlloc: requested=23, received=40 2019/04/05 06:29:48.054| 24,9| MemBlob.cc(82) ~MemBlob: destructed, this=0x55dcaddf6c30 id=blob554 capacity=40 size=23 2019/04/05 06:29:48.054| 24,7| SBuf.cc(865) reAlloc: SBuf218 new store capacity: 40 2019/04/05 06:29:48.054| 83,8| PeerOptions.cc(647) updateContextCa: Setting CA certificate locations. 2019/04/05 06:29:48.054| 83,9| ServerOptions.cc(444) updateContextClientCa: Not requiring any client certificates 2019/04/05 06:29:48.054| 24,8| SBuf.cc(30) SBuf: SBuf957 created 2019/04/05 06:29:48.054| 24,7| SBuf.cc(85) assign: assigning SBuf957 from SBuf118 2019/04/05 06:29:48.054| 24,8| SBuf.cc(38) SBuf: SBuf958 created from id SBuf957 2019/04/05 06:29:48.054| 24,8| SBuf.cc(70) ~SBuf: SBuf958 destructed 2019/04/05 06:29:48.054| 24,8| SBuf.cc(70) ~SBuf: SBuf957 destructed If you want I can attach all the cache log with startup and one request with error Thanks On Fri, 5 Apr 2019 at 06:23, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 5/04/19 12:37 am, Davide Belloni wrote: > > Hi, > > this is the certificate that I'm using at the moment: > > > > AFAICS the pieces Squid-4 needs for your config and checks for are all > there. > > Are the pieces correctly ordered in the .pem file? key first, then CA cert. > > > > > > On Thu, 4 Apr 2019 at 12:57, Davide Belloni wrote: > > > > Hi, thanks very much for all the advices! > > About the action to generate the certificate I've followed the squid > > wiki, that doesn't modify (if I remember correctly) openssl conf to > > create it . > > > > Do you have some link to a good howto about that? > > > > > Ah, we have several how-to's in the wiki. The SSL-Bump documentation has > an example. The ConfigExamples section has one for self-signed root CA > like yours, one for intermediate CA signing cert, and one for a wildcard > domain cert. > > The one most relevant to what you have is: > < > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Features.2FDynamicSslCert.Create_Self-Signed_Root_CA_Certificate > > > > If this already matches what you are doing, and the PEM file content is > correct, and that context creation ERROR still shows up. Then your next > step would be to start Squid with the -X command line option and see if > anything more specific about it shows up. > (This will produce a huge amount of debug info, but you only need the > startup sequence where the ERROR shows up. It should not be necessary to > send traffic until the context is working.) > > Amos > -- Davide Belloni http://about.me/davidebelloni http://www.linkedin.com/in/davidebelloni
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
