Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[Alex Rousskov]

On 2023-09-28 00:52, Bud Miljkovic wrote:


# Intercept tranparent HTTPS traffic
https_port 3129 intercept ssl-bump ssl_bump splice all


This should be refactored into two lines:

https_port 3129 intercept ssl-bump ...
ssl_bump splice all

After that, replace "..." above with cert=... and, optionally, other 
ssl-bump parameters from your other "https_port 3129" line below.




# Add certificate
https_port 3129 intercept ssl-bump ...


Remove these lines: The https_port directive does not support "adding" 
options to previously configured port. Use a single https_port directive 
per port. Same for http_port, of course.



HTH,

Alex.



https_port 3129 intercept ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

#Visible hostname
visible_hostname ctct-r2
```
When the `squid.service` is started the following output is printed:

```
Sep 28 16:17:04 ctct-r2 systemd[1]: Started Squid Proxy Server (OTA Mode).
Sep 28 16:17:04 ctct-r2 squid[1059]: No valid signing SSL certificate 
configured for HTTPS_port [::]:3129
Sep 28 16:17:04 ctct-r2 squid[1059]: FATAL: No valid signing SSL 
certificate configured for HTTPS_port [::]:3129
Sep 28 16:17:04 ctct-r2 squid[1059]: Squid Cache (Version 3.5.25): 
Terminated abnormally.
Sep 28 16:17:04 ctct-r2 squid[1059]: CPU Usage: 0.040 seconds = 0.030 
user + 0.010 sys

Sep 28 16:17:04 ctct-r2 squid[1059]: Maximum Resident Size: 38656 KB
```
Any lead is greatly appreciated.

Buda



--
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble

11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile

www.trimble.com 

This email may contain confidential information that is intended only 
for the listed recipient(s) of this email. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you believe you have 
received this email in error, please immediately delete this email and 
any attachments, and inform me via reply email.


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] No valid signing SSL certificate configured for HTTPS_port

[Bud Miljkovic]

Would you know anything about this Squid problem?
Given the squid-ota.conf file:
```
# An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'

# Allow whitelisted URLs through
http_access allow whitelist

# Block the rest
http_access deny all

# Intercept tranparent HTTPS traffic
https_port 3129 intercept ssl-bump ssl_bump splice all

# Send out HTTPS trafic to destination server
tcp_outgoing_address 10.3.16.51

# Add certificate
https_port 3129 intercept ssl-bump \
   cert=/etc/squid/ssl_cert/myCA.pem \
   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

#Visible hostname
visible_hostname ctct-r2
```
When the `squid.service` is started the following output is printed:

```
Sep 28 16:17:04 ctct-r2 systemd[1]: Started Squid Proxy Server (OTA Mode).
Sep 28 16:17:04 ctct-r2 squid[1059]: No valid signing SSL certificate
configured for HTTPS_port [::]:3129
Sep 28 16:17:04 ctct-r2 squid[1059]: FATAL: No valid signing SSL
certificate configured for HTTPS_port [::]:3129
Sep 28 16:17:04 ctct-r2 squid[1059]: Squid Cache (Version 3.5.25):
Terminated abnormally.
Sep 28 16:17:04 ctct-r2 squid[1059]: CPU Usage: 0.040 seconds = 0.030 user
+ 0.010 sys
Sep 28 16:17:04 ctct-r2 squid[1059]: Maximum Resident Size: 38656 KB
```
Any lead is greatly appreciated.

Buda



-- 
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble

11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile

www.trimble.com

This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)

[Mohammed al-jakry]

Hi,

I am facing an issue with Squid 3.5 with SSL Bump configuration, i already
configure it without SSL bump and it works fine. but after configuring
intercept process it shows the below error:

*No valid signing SSL certificate configured for HTTPS_port [::]:3128*

below snippet from the Squid configuration file:

*https_port 3128 intercept ssl-bump \*
*  generate-host-certificates=on \*
*  dynamic_cert_mem_cache_size=4MB \*
*  cert=/etc/squid/ssl_cert/myCA.pem*

*# For squid 3.5.x*
*sslcrtd_program /usr/lib64/squid/ssl_crtd  -s /var/lib/ssl_db -M 4MB*


*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*

i used the below link as guid in creating the certificate:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

moreover, below are the result for squid -k command:

2017/05/09 09:38:26| Startup: Initializing Authentication Schemes ...
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'basic'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'digest'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'negotiate'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'ntlm'
2017/05/09 09:38:26| Startup: Initialized Authentication.
2017/05/09 09:38:26| Processing Configuration File: /etc/squid/squid.conf
(depth 0)
2017/05/09 09:38:26| Processing: acl localnet src 172.16.10.0/24#
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src 192.168.0.0/16#
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src fc00::/7   # RFC 4193
local private network range
2017/05/09 09:38:26| Processing: acl localnet src fe80::/10  # RFC 4291
link-local (directly plugged) machines
2017/05/09 09:38:26| Processing: acl SSL_ports port 443
2017/05/09 09:38:26| Processing: acl Safe_ports port 80 # http
2017/05/09 09:38:26| Processing: acl Safe_ports port 21 # ftp
2017/05/09 09:38:26| Processing: acl Safe_ports port 443#
https
2017/05/09 09:38:26| Processing: acl Safe_ports port 70 # gopher
2017/05/09 09:38:26| Processing: acl Safe_ports port 210#
wais
2017/05/09 09:38:26| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2017/05/09 09:38:26| Processing: acl Safe_ports port 280#
http-mgmt
2017/05/09 09:38:26| Processing: acl Safe_ports port 488#
gss-http
2017/05/09 09:38:26| Processing: acl Safe_ports port 591#
filemaker
2017/05/09 09:38:26| Processing: acl Safe_ports port 777#
multiling http
2017/05/09 09:38:26| Processing: acl CONNECT method CONNECT
2017/05/09 09:38:26| Processing: http_access deny !Safe_ports
2017/05/09 09:38:26| Processing: http_access deny CONNECT !SSL_ports
2017/05/09 09:38:26| Processing: http_access allow localhost manager
2017/05/09 09:38:26| Processing: http_access deny manager
2017/05/09 09:38:26| Processing: http_access allow localnet
2017/05/09 09:38:26| Processing: http_access allow localhost
2017/05/09 09:38:26| Processing: http_access deny all
2017/05/09 09:38:26| Processing: https_port 3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myCA.pem
2017/05/09 09:38:26| Starting Authentication on port [::]:3128
2017/05/09 09:38:26| Disabling Authentication on port [::]:3128
(interception enabled)
2017/05/09 09:38:26| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd
 -s /var/lib/ssl_db -M 4MB
2017/05/09 09:38:26| Processing: acl step1 at_step SslBump1
2017/05/09 09:38:26| Processing: ssl_bump peek step1
2017/05/09 09:38:26| Processing: ssl_bump bump all
2017/05/09 09:38:26| Processing: cache_dir ufs /var/spool/squid 100 16 256
2017/05/09 09:38:26| Processing: coredump_dir /var/spool/squid
2017/05/09 09:38:26| Processing: refresh_pattern ^ftp:  144020%
10080
2017/05/09 09:38:26| Processing: refresh_pattern ^gopher:   14400%
 1440
2017/05/09 09:38:26| Processing: refresh_pattern -i (/cgi-bin/|\?) 00%
 0
2017/05/09 09:38:26| Processing: refresh_pattern .  0   20%
4320
2017/05/09 09:38:26| Initializing https proxy context
2017/05/09 09:38:26| Initializing https_port [::]:3128 SSL context
2017/05/09 09:38:26| Using certificate in /etc/squid/ssl_cert/myCA.pem
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:3128
Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.027 seconds = 0.013 user + 0.014 sys
Maximum Resident Size: 37264 KB
Page faults with physical i/o: 0

I already do googling for this issue, and i found similar issue and it was
solved by setting SELinux to permissive and reboot. i already did the same
but its still not working. pleas advice

Thanks and Regards,

Mohammed AL-Jakri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[konradka]

Hi Amos,

This could be the problem. I built another VM based on Debian and ended up
creating my own CA / PKI.

Self-signed certificates worked and I was able to move on at last.

Great learning experience to see how SSL / openssl works.

Now I am stuck with Windows client unable to connect to reverse-proxyfied
Exchange.

When I connect via NAT/PAT, I can get to OWA/ECP.

When squid is acting as reverse-proxy, connection is timing out.

Looks like my Exchange SSL is not working but I will deal with this later.

Thanks a lot for your help.

Cheers

Konrad




On Tue, Nov 8, 2016 at 6:18 AM, Amos Jeffries [via Squid Web Proxy Cache] <
ml-node+s1019090n468045...@n4.nabble.com> wrote:

> On 6/11/2016 7:52 a.m., Garri Djavadyan wrote:
>
> > On 2016-11-05 23:10, konradka wrote:
> >> Hi Garri,
> >>
> >> Thanks for your responses mate !
> >>
> >> I did not realize that the squid was compiled with proxy user. Well
> >> spotted
> >> !
> >>
> >> It looks like permission's issue but squid error message is not giving
> >> away
> >> any more details.
> >>
> >> I will configure debug_options to see what is failing exactly.
> >>
> >> The modulus check is a good idea too so I will get this checked and
> >> post the
> >> results.
> >
> > Actually, there should not be problems with DAC rights for user 'proxy',
> > I found that Squid reads the keys as root. But there may be problems
> > with MAC rights for Squid, if any enabled by default. As you use Ubuntu,
> > you should check AppArmor logs for problems indication.
> >
> > The same error may appear, if path or filename is misspelled.
> >
>
> Or if the key= parameter is listed before the cert= parameter. I have
> just made that case a different (and FATAL) error on config loading.
>
> After loading the cert and key from the relevant files, Squid verifies
> that they are a matching pair. This message is output if for any reason
> that check fails, or the loading fails.
>
> Amos
>
> ___
> squid-users mailing list
> [hidden email] 
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
> If you reply to this email, your message will be added to the discussion
> below:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/No-
> valid-signing-SSL-certificate-configured-for-HTTPS-port-
> tp4680434p4680457.html
> To unsubscribe from No valid signing SSL certificate configured for
> HTTPS_port, click here
> 
> .
> NAML
> 
>




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/No-valid-signing-SSL-certificate-configured-for-HTTPS-port-tp4680434p4680459.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[Amos Jeffries]

On 6/11/2016 7:52 a.m., Garri Djavadyan wrote:
> On 2016-11-05 23:10, konradka wrote:
>> Hi Garri,
>>
>> Thanks for your responses mate !
>>
>> I did not realize that the squid was compiled with proxy user. Well
>> spotted
>> !
>>
>> It looks like permission's issue but squid error message is not giving
>> away
>> any more details.
>>
>> I will configure debug_options to see what is failing exactly.
>>
>> The modulus check is a good idea too so I will get this checked and
>> post the
>> results.
> 
> Actually, there should not be problems with DAC rights for user 'proxy',
> I found that Squid reads the keys as root. But there may be problems
> with MAC rights for Squid, if any enabled by default. As you use Ubuntu,
> you should check AppArmor logs for problems indication.
> 
> The same error may appear, if path or filename is misspelled.
> 

Or if the key= parameter is listed before the cert= parameter. I have
just made that case a different (and FATAL) error on config loading.

After loading the cert and key from the relevant files, Squid verifies
that they are a matching pair. This message is output if for any reason
that check fails, or the loading fails.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[Garri Djavadyan]

On 2016-11-05 23:10, konradka wrote:

Hi Garri,

Thanks for your responses mate !

I did not realize that the squid was compiled with proxy user. Well 
spotted

!

It looks like permission's issue but squid error message is not giving 
away

any more details.

I will configure debug_options to see what is failing exactly.

The modulus check is a good idea too so I will get this checked and 
post the

results.


Actually, there should not be problems with DAC rights for user 'proxy', 
I found that Squid reads the keys as root. But there may be problems 
with MAC rights for Squid, if any enabled by default. As you use Ubuntu, 
you should check AppArmor logs for problems indication.


The same error may appear, if path or filename is misspelled.


Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[Garri Djavadyan]

On 2016-11-05 22:09, Garri Djavadyan wrote:

1. Does your certificate signed by StartSSL CA
(/home/kk/ssl/cert-mail/mail.contoso.com.pem) corresponds to your
private key (/home/kk/ssl/cert-mail/mail.contoso.com.key)?


For the 'corresponds' I mean, does CSR for StartSSL was generated using 
exactly same key [/home/kk/ssl/cert-mail/mail.contoso.com.key]?


You can check whether the certificate and private key corresponds to 
each other by inspecting modulus. The modulus should be identical. For 
example, you can use the following openssl commands:


# openssl x509 -in /home/kk/ssl/cert-mail/mail.contoso.com.pem -modulus 
-noout
# openssl rsa -in /home/kk/ssl/cert-mail/mail.contoso.com.key -modulus 
-noout



Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] No valid signing SSL certificate configured for HTTPS_port

[Garri Djavadyan]

On 2016-11-05 21:24, Konrad Kaluszynski wrote:

Hi All,

My goal is to configure a reverse proxy for Outlook Anywhere clients
using squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

This will replace existing TMG that my client is currently using.

However, when I run squid I get an error  "No valid signing SSL
certificate configured for HTTPS_port".

Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
proxy but was getting connection errors when trying to use
OutlookAnywhere.

So now I have been testing Squid but cannot get past the certificate
installation which was painless under Nginx.

Configuration is based on an article below:

https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/

I have been trying for several days now without much success to
configure SSL certificate on my squid server.

Getting the " ...no valid signing certificate" every time.

I found few posts saying that it was not possible to use SSL
certificates signed by public CA and self-signed certs must be used.

Can anyone confirm if this is a case?

Logs and config files below.

My domain name has been replaced with _contoso.com [1]_ for
confidentiality sake.

squid server- srv-_squid.contoso.com [2]_ / 3.3.3.201

uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

exchange server - exch.contoso.com [3] / 10.2.2.30

SSL certificate:

obtained from StartSSL for mail.contoso.com [4]

SQUID.CONF

 START

visible_hostname mail.contoso.com [4]
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
"%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
 ### "cert" should contain Exchange certificate and key
 ### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 [5] accel
cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem
defaultsite=mail.contoso.com [4]
key=/home/kk/ssl/cert-mail/mail.contoso.com.key

cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
connection-auth=on name=Exchange

acl exch_url url_regex -i mail.contoso.com/owa [6]
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
[7]
acl exch_url url_regex -i mail.contoso.com/rpc [8]

cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all

###END

ERROR

cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13|   Finished.  Wrote 0 entries.
2016/11/05 08:52:13|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port
3.3.3.201:443 [9]
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0

SQUID - compiled from sources

squid -v

Squid Cache: Version 3.5.22
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
'--with-pidfile=/var/run/squid3.pid' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
'--enable-ssl' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-ssl' '--disable-ipv6'
'--with-openssl' --enable-ltdl-convenience

Appreciate any feedback

Cheers

Konrad



Links:
--
[1] http://contoso.com
[2] http://squid.contoso.com
[3] http://exch.contoso.com
[4] http://mail.contoso.com
[5] http://mail.contoso.com:443
[6] http://mail.contoso.com/owa
[7] http://mail.contoso.com/microsoft-server-activesync
[8] http://mail.contoso.com/rpc
[9] http://3.3.3.201:443


Hi,

Sorry, if my questions would appear naive, but:

1. Does your certificate signed by StartSSL CA 
(/home/kk/ssl/cert-mail/mail.contoso.com.pem) corresponds to your 
private 

[squid-users] No valid signing SSL certificate configured for HTTPS_port

[Konrad Kaluszynski]

Hi All,

My goal is to configure a reverse proxy for Outlook Anywhere clients using
squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

This will replace existing TMG that my client is currently using.

However, when I run squid I get an error  "No valid signing SSL certificate
configured for HTTPS_port".

Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
proxy but was getting connection errors when trying to use OutlookAnywhere.

So now I have been testing Squid but cannot get past the certificate
installation which was painless under Nginx.

Configuration is based on an article below:
https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/

I have been trying for several days now without much success to configure
SSL certificate on my squid server.

Getting the " ...no valid signing certificate" every time.

I found few posts saying that it was not possible to use SSL certificates
signed by public CA and self-signed certs must be used.

Can anyone confirm if this is a case?

Logs and config files below.

My domain name has been replaced with *contoso.com *
for confidentiality sake.

squid server- srv-*squid.contoso.com * / 3.3.3.201

uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux


exchange server - exch.contoso.com / 10.2.2.30

SSL certificate:
obtained from StartSSL for mail.contoso.com

SQUID.CONF

 START

visible_hostname mail.contoso.com
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
"%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
 ### "cert" should contain Exchange certificate and key
 ### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 accel
cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem defaultsite=
mail.contoso.com key=/home/kk/ssl/cert-mail/mail.contoso.com.key

cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
connection-auth=on name=Exchange

acl exch_url url_regex -i mail.contoso.com/owa
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
acl exch_url url_regex -i mail.contoso.com/rpc

cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all
###END

ERROR
cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13|   Finished.  Wrote 0 entries.
2016/11/05 08:52:13|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port
3.3.3.201:443
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0

SQUID - compiled from sources
squid -v
Squid Cache: Version 3.5.22
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
'--with-pidfile=/var/run/squid3.pid' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
'--enable-ssl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--with-ssl'
'--disable-ipv6' '--with-openssl' --enable-ltdl-convenience

Appreciate any feedback

Cheers

Konrad
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users