Re: [squid-users] reverse proxy with SSL offloader issue

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Jun 2009 12:51:30 +1200

On Tue, 02 Jun 2009 16:56:08 +0400, Mario Remy Almeida
<malmeida_at_isaaviation.ae> wrote:
> Hi All,
>
> I downloaded SSL Certificate from verisign and exported pvt key from
> windows 2003 server
>
> in squid.conf I have this
>
> https_port 10.200.22.49:443 accel \
> cert=/etc/squid/keys/mail.airarabia.ae_cert.pem \
> key=/etc/squid/keys/pvtkey.pem defaultsite=mail.airarabia.ae
>
> when access https://mail.airarabia.ae
> browser gives error
>
> Secure Connection Failed
> mail.airarabia.ae uses an invalid security certificate.
>
> The certificate is not trusted because the issuer certificate is
> unknown.
>
> (Error code: sec_error_unknown_issuer)
> * This could be a problem with the server's configuration, or it
> could be someone trying to impersonate the server.
>
> * If you have connected to this server successfully in the past, the
> error may be temporary, and you can try again later.
>
> and in cache.log I get this
>
> clientNegotiateSSL: Error negotiating SSL connection on FD 23:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
>
>
> What could be the problem please help
>

SSL chain of trust is broken on one of the SSL links.

Two things to try:
 1) adding sslflags=DONT_VERIFY_PEER - If that works its the cache_peer
link broken. If still fails then its the https_port certificate.

Next look at the certificate itself, see if it contains the whole chain of
trust (concatenated certificate + signing authority cert).
I'm a bit hazy about whether the https_port needs the signing authority in
it or not when the certs are of the unlinked chain type (I forget what the
right name is even). But I think cache_peer needs the full chain to be in
the cert.

Amos
Received on Wed Jun 03 2009 - 00:51:46 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 03 2009 - 12:00:02 MDT