I’m setting up dynamic SSL cert generation on a Centos 6.3 (i686) platform
but I can’t seem to get ssl-crtd to believe it’s initialized. Perhaps I’m
missing something. Either way I could use another set of eyes / ideas.
I have compiled the latest stable release (3.2.5) and installed it. Packaged
release was not compiled with --enable-ssl-crtd.
When starting squid I get a message in cache.log from ssl-crtd that it
believes the SSL Certificate database is uninitialized….
However I have executed the following:
sudo -u squid /usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db Initialization
SSL db...
Done
I can even execute ssl-crtd outside of squid and get a response….
sudo -u squid /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
new_certificate 13 host=test.com
OK 1531 -----BEGIN CERTIFICATE-----
MIIBmDCC…
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhki…
-----END PRIVATE KEY-----
^C
I have even attemted to chmod –R 777 /var/squid/ssl_db with no success.
2013/01/09 12:49:37 kid1| Starting Squid Cache version 3.2.5 for
i686-pc-linux-gnu...
2013/01/09 12:49:37 kid1| Process ID 26793
2013/01/09 12:49:37 kid1| Process Roles: worker
2013/01/09 12:49:37 kid1| With 16384 file descriptors available
2013/01/09 12:49:37 kid1| Initializing IP Cache...
2013/01/09 12:49:37 kid1| DNS Socket created at [::], FD 7
2013/01/09 12:49:37 kid1| DNS Socket created at 0.0.0.0, FD 8
2013/01/09 12:49:37 kid1| Adding domain gaming.local from /etc/resolv.conf
2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
2013/01/09 12:49:37 kid1| Adding nameserver <redacted> from /etc/resolv.conf
2013/01/09 12:49:37 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
processes
2013/01/09 12:49:37 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2013/01/09 12:49:37 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/squid/ssl_db. To initialize, run "ssl_crtd -c -s /var/squid/ssl_db".
2013/01/09 12:49:37 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2013/01/09 12:49:37 kid1| Store logging disabled
2013/01/09 12:49:37 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects
2013/01/09 12:49:37 kid1| Target number of buckets: 1008
2013/01/09 12:49:37 kid1| Using 8192 Store buckets
2013/01/09 12:49:37 kid1| Max Mem size: 262144 KB
2013/01/09 12:49:37 kid1| Max Swap size: 0 KB
2013/01/09 12:49:37 kid1| Using Least Load store dir selection
2013/01/09 12:49:37 kid1| Set Current Directory to /var/spool/squid
2013/01/09 12:49:37 kid1| Loaded Icons.
2013/01/09 12:49:37 kid1| HTCP Disabled.
2013/01/09 12:49:37 kid1| Squid plugin modules loaded: 0
2013/01/09 12:49:37 kid1| Adaptation support is off.
2013/01/09 12:49:37 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 21 flags=9
2013/01/09 12:49:37 kid1| WARNING: ssl_crtd #1 exited
2013/01/09 12:49:37 kid1| Too few ssl_crtd processes are running (need 1/5)
2013/01/09 12:49:37 kid1| Closing HTTP port [::]:3128
2013/01/09 12:49:37 kid1| storeDirWriteCleanLogs: Starting...
2013/01/09 12:49:37 kid1| Finished. Wrote 0 entries.
2013/01/09 12:49:37 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
Squid Cache (Version 3.2.5): Terminated abnormally.
CPU Usage: 0.100 seconds = 0.036 user + 0.064 sys Maximum Resident Size:
50304 KB Page faults with physical i/o: 0 Memory usage for squid via
mallinfo():
total space in arena: 4784 KB
Ordinary blocks: 4655 KB 8 blks
Small blocks: 0 KB 0 blks
Holding blocks: 7252 KB 6 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 128 KB
Total in use: 11907 KB 249%
Total free: 128 KB 3%
Full configure used in compile here:
./configure \
--exec_prefix=/usr \
--libexecdir=/usr/lib/squid \
--includedir=/usr/include \
--localstatedir=/var \
--datadir=/usr/share/squid \
--bindir=/usr/sbin \
--sysconfdir=/etc/squid \
--with-logdir='/var/log/squid' \
--with-pidfile='/var/run/squid.pid' \
--disable-dependency-tracking \
--enable-arp-acl \
--enable-follow-x-forwarded-for \
--enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SA
SL,DB,POP3,squid_radius_auth" \
--enable-auth-digest="password,ldap,eDirectory" \
--enable-auth-ntlm="smb_lm,no_check,fakeauth" \
--enable-auth-negotiate \
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_
group" \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-epoll \
--enable-icap-client \
--enable-ident-lookups \
--with-large-files \
--enable-linux-netfilter \
--enable-referer-log \
--enable-removal-policies="heap,lru" \
--enable-snmp \
--enable-ssl \
--enable-ssl-crtd \
--enable-storeio="aufs,diskd,ufs" \
--enable-useragent-log \
--enable-wccpv2 \
--enable-esi \
--with-aio \
--with-default-user="squid" \
--with-filedescriptors=16384 \
--with-dl \
--with-openssl \
--with-pthreads
Relevant squid.conf settings:
# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.cer
key=/etc/squid/squid.key
# Squid SSL Certificate Daemon Options
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
sslcrtd_children 5
Thanks in advance!
Received on Wed Jan 09 2013 - 18:38:24 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 12:00:04 MST