Re: [squid-users] problems with ssl_crtd

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 24 Sep 2012 22:52:02 +1200

On 24/09/2012 8:44 p.m., Linos wrote:
> On 20/09/12 12:58, Ahmed Talha Khan wrote:
>> Hey Guy, All
>>
>> I have started facing a very similar issue now.I have been using
>> squid-3.HEAD-20120421-r12120 for about 5 months without any issues.
>> Suddenly from yesterday ive started getting crahses in ssl_crtd
>> process.
>>
>>
>> In my case i am the only user but i observe that the behaviour is
>> random. Sometimes it crashes and sometimes it works. Different https
>> pages give the crash. Even non https pages have caused the crash.
>>
>> These occur especially on google https pages like docs,mail,calender etc..
>>
>> The signing cert is also ok and has NOT expired.
>>
>>
>> My squid conf looks like this:
>> *******************************************************
>> sslproxy_cert_error allow all
>>
>> sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s
>> /usr/local/squid-3.3/var/lib/ssl_db -M 4MB
>> sslcrtd_children 5
>>
>> http_port 192.168.8.134:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> cert=/home/asif/squid/www.sample.com.pem
>> key=/home/asif/squid/www.sample.com.pem
>>
>> http_port 192.168.8.134:8080
>>
>> https_port 192.168.8.134:3129 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> cert=/home/asif/squid/www.sample.com.pem
>> key=/home/asif/squid/www.sample.com.pem
>> *******************************************************
>>
>> The ssl_db directory is initialized properly with correct permissions.
>>
>> ***********************************************************
>> [talha_at_localhost lib]$ pwd
>> /usr/local/squid-3.3/var/lib
>>
>> [talha_at_localhost lib]$ ls -al
>> total 24
>> drwxrwxrwx 3 root root 4096 Sep 20 15:31 .
>> drwxrwxrwx 6 root root 4096 Sep 20 15:05 ..
>> drwxrwxrwx 3 nobody talha 4096 Sep 20 15:31 ssl_db
>>
>> The size file also has some values in it and cert generation also
>> seems to work but suddenly it all crashes .
>> **************************************************************
>>
>>
>>
>> 2012/09/20 14:57:45| Starting Squid Cache version
>> 3.HEAD-20120425-r12120 for x86_64-unknown-linux-gnu...
>> 2012/09/20 14:57:45| Process ID 23826
>> 2012/09/20 14:57:45| Process Roles: master worker
>> 2012/09/20 14:57:45| With 1024 file descriptors available
>> 2012/09/20 14:57:45| Initializing IP Cache...
>> 2012/09/20 14:57:45| DNS Socket created at [::], FD 5
>> 2012/09/20 14:57:45| DNS Socket created at 0.0.0.0, FD 6
>> 2012/09/20 14:57:45| Adding nameserver 192.168.8.1 from /etc/resolv.conf
>> 2012/09/20 14:57:45| Adding domain localdomain from /etc/resolv.conf
>> 2012/09/20 14:57:45| helperOpenServers: Starting 5/5 'ssl_crtd' processes
>> 2012/09/20 14:57:45| Logfile: opening log
>> daemon:/usr/local/squid-3.3/var/logs/access.log
>> 2012/09/20 14:57:45| Logfile Daemon: opening log
>> /usr/local/squid-3.3/var/logs/access.log
>> 2012/09/20 14:57:45| Logfile: opening log /usr/local/squid-3.3/var/logs/icap-log
>> 2012/09/20 14:57:45| WARNING: log parameters now start with a module
>> name. Use 'stdio:/usr/local/squid-3.3/var/logs/icap-log'
>>
>>
>> 2012/09/20 14:57:45| Store logging disabled
>> 2012/09/20 14:57:45| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>> 2012/09/20 14:57:45| Target number of buckets: 1008
>> 2012/09/20 14:57:45| Using 8192 Store buckets
>> 2012/09/20 14:57:45| Max Mem size: 262144 KB
>> 2012/09/20 14:57:45| Max Swap size: 0 KB
>> 2012/09/20 14:57:45| Using Least Load store dir selection
>> 2012/09/20 14:57:45| Set Current Directory to /usr/local/squid-3.3/var/cache
>> 2012/09/20 14:57:45| Loaded Icons.
>> 2012/09/20 14:57:45| HTCP Disabled.
>> 2012/09/20 14:57:45| /usr/local/squid-3.3/var/run/squid.pid: (13)
>> Permission denied
>> 2012/09/20 14:57:45| WARNING: Could not write pid file
>> 2012/09/20 14:57:45| Squid plugin modules loaded: 0
>> 2012/09/20 14:57:45| Adaptation support is on
>> 2012/09/20 14:57:45| Accepting SSL bumped HTTP Socket connections at
>> local=192.168.8.134:3128 remote=[::] FD 20 flags=9
>> 2012/09/20 14:57:45| Accepting HTTP Socket connections at
>> local=192.168.8.134:8080 remote=[::] FD 21 flags=9
>> 2012/09/20 14:57:45| Accepting SSL bumped HTTPS Socket connections at
>> local=192.168.8.134:3129 remote=[::] FD 22 flags=9
>> 2012/09/20 14:57:46| storeLateRelease: released 0 objects
>>
>> (ssl_crtd): Cannot create ssl certificate or private key.
>> 2012/09/20 14:58:23| WARNING: ssl_crtd #2 exited
>> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>>
>> 2012/09/20 14:58:23| Starting new helpers
>> 2012/09/20 14:58:23| helperOpenServers: Starting 1/5 'ssl_crtd' processes
>> 2012/09/20 14:58:23| client_side.cc(3478) sslCrtdHandleReply:
>> "ssl_crtd" helper return <NULL> reply
>> (ssl_crtd): Cannot create ssl certificate or private key.
>>
>> 2012/09/20 14:58:23| WARNING: ssl_crtd #1 exited
>> 2012/09/20 14:58:23| Too few ssl_crtd processes are running (need 1/5)
>> 2012/09/20 14:58:23| storeDirWriteCleanLogs: Starting...
>> 2012/09/20 14:58:23| Finished. Wrote 0 entries.
>> 2012/09/20 14:58:23| Took 0.00 seconds ( 0.00 entries/sec).
>> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>>
>> Squid Cache (Version 3.HEAD-20120425-r12120): Terminated abnormally.
>> CPU Usage: 0.355 seconds = 0.289 user + 0.066 sys
>> Maximum Resident Size: 71104 KB
>> Page faults with physical i/o: 0
>> Memory usage for squid via mallinfo():
>> total space in arena: 11924 KB
>> Ordinary blocks: 11818 KB 49 blks
>> Small blocks: 0 KB 0 blks
>> Holding blocks: 664 KB 2 blks
>> Free Small blocks: 0 KB
>> Free Ordinary blocks: 105 KB
>>
>>
>>
>>
>>
>>
>> On Thu, Sep 20, 2012 at 2:52 PM, Linos wrote:
>>> On 19/09/12 16:46, Guy Helmer wrote:
>>>>> Thanks for reply.
>>>>>
>>>>> i checked the squid_ssl_db/size because i found the empty file problem searching
>>>>> for my own problem in the mailing list, it's ok in my host, the file have the
>>>>> content "139264" right now.
>>>>>
>>>>> I can't found the core file, do i need to do something for it to generate? maybe
>>>>> a configure script option or squid.conf change to activate it?
>>>>>
>>>>> Regards,
>>>>> Miguel Angel.
>>>> I have
>>>>
>>>> coredump_dir /var/log/squid
>>>>
>>>> to get coredumps in my /var/log/squid directory. Now that I think about it, I don't remember if this works for ssl_crtd though -- seems like I have had to start "gdb ssl_crtd" and then attach to one of the ssl_crtd processes, then generate HTTPS traffic to trigger the request to ssl_crtd and get a backtrace when ssl_crtd gets the segfault signal…
>>>>
>>>> Guy
>>>>
>>> Hi,
>>> i have been trying to debug with gdb attaching existing process, the strange
>>> it's that ssl_ctrd seems to exit normally in this test, here you have it (sorry
>>> for the spanish locale, i will use english next time, the only file with symbols
>>> it's ssl_crtd itself):
>>>
>>> --------------------------------------------------------------------------------
>>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>>> Copyright (C) 2012 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "x86_64-linux-gnu".
>>> Para las instrucciones de informe de errores, vea:
>>> <http://bugs.launchpad.net/gdb-linaro/>.
>>> (gdb) attach 10495
>>> Adjuntando a process 10495
>>> Leyendo símbolos desde /usr/lib/squid3/ssl_crtd...Leyendo símbolos desde
>>> /usr/lib/debug/usr/lib/squid3/ssl_crtd...hecho.
>>> hecho.
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos
>>> de depuración)hecho.
>>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>>> 0x00007f3ef414f0a0 in read () from /lib/x86_64-linux-gnu/libc.so.6
>>> (gdb) continue
>>> Continuando.
>>> [Inferior 1 (process 10495) exited normally]
>>> (gdb) bt
>>> No stack.
>>>
>>> --------------------------------------------------------------------------------
>>>
>>> I have tried attaching to squid3 process itself and i have received a signal here:
>>>
>>> GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
>>> Copyright (C) 2012 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "x86_64-linux-gnu".
>>> Para las instrucciones de informe de errores, vea:
>>> <http://bugs.launchpad.net/gdb-linaro/>.
>>> (gdb) attach 10732
>>> Adjuntando a process 10732
>>> Leyendo símbolos desde /usr/sbin/squid3...coLeyendo símbolos desde
>>> /usr/lib/debug/usr/sbin/squid3...ntinue
>>> hecho.
>>> hecho.
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libpthread.so.0...(no se
>>> encontraron símbolos de depuración)hecho.
>>> [Depuración de hilo usando libthread_db enabled]
>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libpthread.so.0
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libxml2.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libxml2.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libexpat.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libexpat.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libssl.so.0.9.8...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcrypto.so.0.9.8...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5.so.3...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5.so.3
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcom_err.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcom_err.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libcap.so.2...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libcap.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/librt.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/librt.so.1
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libltdl.so.7...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libltdl.so.7
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libm.so.6...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libm.so.6
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libgcc_s.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libgcc_s.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libc.so.6...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libc.so.6
>>> Leyendo símbolos desde /lib64/ld-linux-x86-64.so.2...(no se encontraron símbolos
>>> de depuración)hecho.
>>> Símbolos cargados para /lib64/ld-linux-x86-64.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libdl.so.2...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libdl.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libz.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libz.so.1
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libk5crypto.so.3...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
>>> Leyendo símbolos desde /usr/lib/x86_64-linux-gnu/libkrb5support.so.0...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libkeyutils.so.1...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libkeyutils.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libresolv.so.2...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libresolv.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_files.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_files.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_compat.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_compat.so.2
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnsl.so.1...(no se encontraron
>>> símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnsl.so.1
>>> Leyendo símbolos desde /lib/x86_64-linux-gnu/libnss_nis.so.2...(no se
>>> encontraron símbolos de depuración)hecho.
>>> Símbolos cargados para /lib/x86_64-linux-gnu/libnss_nis.so.2
>>> 0x00007f7d6243dac8 in poll () from /lib/x86_64-linux-gnu/libc.so.6
>>> (gdb) continue
>>> Continuando.
>>>
>>> Program received signal SIGPIPE, Broken pipe.
>>> 0x00007f7d647becb0 in __write_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0
>>> (gdb) bt
>>> #0 0x00007f7d647becb0 in __write_nocancel () from
>>> /lib/x86_64-linux-gnu/libpthread.so.0
>>> #1 0x00007f7d63d075c5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>> #2 0x00007f7d63d05247 in BIO_write () from /lib/x86_64-linux-gnu/libcrypto.so.0.9.8
>>> #3 0x00007f7d63ffafc4 in ssl3_write_pending () from
>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>> #4 0x00007f7d63ffc853 in ssl3_dispatch_alert () from
>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>> #5 0x00007f7d63ff9442 in ssl3_shutdown () from
>>> /lib/x86_64-linux-gnu/libssl.so.0.9.8
>>> #6 0x00007f7d64e8f0f4 in AsyncCall::make (this=0x7f7d687eb390) at AsyncCall.cc:36
>>> #7 0x00007f7d64e92117 in AsyncCallQueue::fireNext (this=<optimized out>) at
>>> AsyncCallQueue.cc:54
>>> #8 0x00007f7d64e92270 in AsyncCallQueue::fire (this=0x7f7d66f5f2c0) at
>>> AsyncCallQueue.cc:40
>>> #9 0x00007f7d64d7c494 in EventLoop::runOnce (this=0x7fff630b3e60) at
>>> EventLoop.cc:131
>>> #10 0x00007f7d64d7c568 in EventLoop::run (this=0x7fff630b3e60) at EventLoop.cc:95
>>> #11 0x00007f7d64ddc039 in SquidMain (argc=<optimized out>, argv=<optimized out>)
>>> at main.cc:1500
>>> #12 0x00007f7d64d10b76 in SquidMainSafe (argv=<optimized out>, argc=<optimized
>>> out>) at main.cc:1215
>>> #13 main (argc=<optimized out>, argv=<optimized out>) at main.cc:1207
>>>
>>> Any ideas what's going on with this information? Thansk!
>>>
>>> Regards,
>>> Miguel Angel.
>>
>>
> Hi Ahmed,
> did you found a way to fix or workaround this? i can't get a backtrace with the
> information needed and no matter what i try it keeps failing, i had to disable
> ssl and my users are a bit upset.
>
> Regards,
> Miguel Angel.

I've taken a quick look at these reports and tried to figure out if
anything obvious is going on.

 From what I can see, there is really no reason why the helper should be
exiting like this. Something it is doing produces an exception, fine,
but the method of handling that exception is to exit instead of
reporting the problem to Squid and continuing with further requests.

As a workaround you can probably patch out the FATAL and let Squid
continuously restart the helpers unless that spams the logs too much for
your liking.

Amos
Received on Mon Sep 24 2012 - 10:52:26 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 24 2012 - 12:00:05 MDT