[squid-users] ssl_crtd reporting certificate database as uninitialized

From: Jason A. Sloan <jason_sloan_at_oh.rr.com>
Date: Wed, 9 Jan 2013 13:38:16 -0500

I’m setting up dynamic SSL cert generation on a Centos 6.3 (i686) platform
but I can’t seem to get ssl-crtd to believe it’s initialized. Perhaps I’m
missing something. Either way I could use another set of eyes / ideas.

I have compiled the latest stable release (3.2.5) and installed it. Packaged
release was not compiled with --enable-ssl-crtd.

When starting squid I get a message in cache.log from ssl-crtd that it
believes the SSL Certificate database is uninitialized….

However I have executed the following:

sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization
SSL db...
Done

I can even execute ssl-crtd outside of squid and get a response….

sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
new_certificate 13 host=test.com
OK 1531 -----BEGIN CERTIFICATE-----
MIIBmDCC…
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhki…
-----END PRIVATE KEY-----
^C

I have even attemted to chmod –R 777 /var/squid/ssl_db with no success.

2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
i686-pc-linux-gnu...
2013/01/09 12:49:37 kid1| Process ID 26793
2013/01/09 12:49:37 kid1| Process Roles: worker
2013/01/09 12:49:37 kid1| With 16384 file descriptors available
2013/01/09 12:49:37 kid1| Initializing IP Cache...
2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
2013/01/09 12:49:37 kid1| Adding domain gaming.local from /etc/resolv.conf
2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
processes
2013/01/09 12:49:37 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2013/01/09 12:49:37 kid1| Store logging disabled
2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects
2013/01/09 12:49:37 kid1| Target number of buckets: 1008
2013/01/09 12:49:37 kid1| Using 8192 Store buckets
2013/01/09 12:49:37 kid1| Max Mem  size: 262144 KB
2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
2013/01/09 12:49:37 kid1| Using Least Load store dir selection
2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid
2013/01/09 12:49:37 kid1| Loaded Icons.
2013/01/09 12:49:37 kid1| HTCP Disabled.
2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
2013/01/09 12:49:37 kid1| Adaptation support is off.
2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 21 flags=9
2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need 1/5)
2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
2013/01/09 12:49:37 kid1|   Finished.  Wrote 0 entries.
2013/01/09 12:49:37 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Squid Cache (Version 3.2.5): Terminated abnormally.
CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size:
50304 KB Page faults with physical i/o: 0 Memory usage for squid via
mallinfo():
        total space in arena:    4784 KB
        Ordinary blocks:         4655 KB      8 blks
        Small blocks:               0 KB      0 blks
        Holding blocks:          7252 KB      6 blks
        Free Small blocks:          0 KB
        Free Ordinary blocks:     128 KB
        Total in use:           11907 KB 249%
        Total free:               128 KB 3%

Full configure used in compile here:
./configure \
   --exec_prefix=/usr \
   --libexecdir=/usr/lib/squid \
   --includedir=/usr/include \
   --localstatedir=/var \
   --datadir=/usr/share/squid \
   --bindir=/usr/sbin \
   --sysconfdir=/etc/squid \
   --with-logdir='/var/log/squid' \
   --with-pidfile='/var/run/squid.pid' \
   --disable-dependency-tracking \
   --enable-arp-acl \
   --enable-follow-x-forwarded-for \
  
--enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SA
SL,DB,POP3,squid_radius_auth" \
   --enable-auth-digest="password,ldap,eDirectory" \
   --enable-auth-ntlm="smb_lm,no_check,fakeauth" \
   --enable-auth-negotiate \
  
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_
group" \
   --enable-cache-digests \
   --enable-cachemgr-hostname=localhost \
   --enable-delay-pools \
   --enable-epoll \
   --enable-icap-client \
   --enable-ident-lookups \
   --with-large-files \
   --enable-linux-netfilter \
   --enable-referer-log \
   --enable-removal-policies="heap,lru" \
   --enable-snmp \
   --enable-ssl \
   --enable-ssl-crtd \
   --enable-storeio="aufs,diskd,ufs" \
   --enable-useragent-log \
   --enable-wccpv2 \
   --enable-esi \
   --with-aio \
   --with-default-user="squid" \
   --with-filedescriptors=16384 \
   --with-dl \
   --with-openssl \
   --with-pthreads

Relevant squid.conf settings:

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer
key=/etc/squid/squid.key

# Squid SSL Certificate Daemon Options
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
sslcrtd_children 5

Thanks in advance!
Received on Wed Jan 09 2013 - 18:38:24 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 12:00:04 MST