Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-61303

squid and openssl can't agree on pem-file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • CentOS Stream 9
    • squid
    • None
    • None
    • None
    • rhel-sst-cs-stacks
    • ssg_core_services
    • None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Trying to set up a bumping squid following [this article |https://access.redhat.com/solutions/5702291] with [these adjustments|https://access.redhat.com/solutions/6998842].

      But squid fail to read the generated myca.pem with error:

       

      ERROR: Failed to acquire TLS certificate '/etc/ssl/myca.pem': error:0480006C:PEM routines::no start line

       

      What is the impact of this issue to you?

      unable to use the software

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      never got it working - so I'd say 100%

      Steps to reproduce

      1. dnf install squid
      2. generate self-signed CA
      # cd /etc/ssl
# openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout myca.pem -out myca.pem
# chgrp squid myca.pem
# chmod g+r myca.pem
      1. verify squid user can read myca.pem
      # su -c 'openssl x509 -in /etc/ssl/myca.pem -noout -subject' -s /bin/bash - squid
subject=C=SE, ST=Xxxx, L=Xxx, O=Xxxx, OU=Xxx, CN=squid.xxx.local, emailAddress=my.name@xxx.se
      1. replace
      http_port 3128

      with

      ## Squid SSL bump configuration 
http_port 3128 ssl-bump cert=/etc/ssl/myca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB sslcrtd_children 3 startup=1 idle=1

## You will also need to add ssl_bump rules enabling HTTPS decryption, 
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

      in /etc/squid/squid.conf

      1. initialize ssl_db
      /usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
restorecon -R -v /var/lib/ssl_db/
      1. restart squid
      [root@squid ssl]# systemctl restart squid
Job for squid.service failed because the control process exited with error code.
See "systemctl status squid.service" and "journalctl -xeu squid.service" for details.
[root@squid ssl]# systemctl status squid|grep ERROR
Oct 02 17:14:44 squid.advlab.local squid[30913]: 2024/10/02 17:14:44| ERROR: Failed to acquire TLS certificate '/etc/ssl/myca.pem': error:0480006C:PEM routines::no start line

      Expected results

      started service

      Actual results

      squid failed to read the certificate

              luhliari@redhat.com Lubos Uhliarik
              advaniamatfra Mattias Fransson (Inactive)
              Lubos Uhliarik Lubos Uhliarik
              rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: