Trying to set up a non-transparent forward proxy with TLS, using squid 4.10-1ubuntu1.5 (ubuntu 20.04) config line `https_port 12345 tls-cert=/etc/letsencrypt/.../fullchain.pem tls-key=/etc/letsencrypt/.../privkey.pem` When establishing a TLS connection to that port, squid seems to return only the domain certificate from the certificate chain:
$ openssl s_client -showcerts -connect hostname:12345 | grep -v '^[A-Za-z0-9]' depth=0 CN = ... verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = ... verify error:num=21:unable to verify the first certificate verify return:1 --- 0 s:CN = ... i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- While nginx, using the same pair of files, works correctly: $ openssl s_client -showcerts -connect hostname:443 | grep -v '^[A-Za-z0-9]' depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = ... verify return:1 --- 0 s:CN = ... i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Am I missing some configuration option, or is this a squid4 bug?
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
