On 2016-11-05 21:24, Konrad Kaluszynski wrote:
Hi All,
My goal is to configure a reverse proxy for Outlook Anywhere clients
using squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
This will replace existing TMG that my client is currently using.
However, when I run squid I get an error "No valid signing SSL
certificate configured for HTTPS_port".
Before, I was able to get OWA and HTTPS traffic using NGINX as reverse
proxy but was getting connection errors when trying to use
OutlookAnywhere.
So now I have been testing Squid but cannot get past the certificate
installation which was painless under Nginx.
Configuration is based on an article below:
https://sysadminfixes.wordpress.com/2013/01/25/exchanging-squids/
I have been trying for several days now without much success to
configure SSL certificate on my squid server.
Getting the " ...no valid signing certificate" every time.
I found few posts saying that it was not possible to use SSL
certificates signed by public CA and self-signed certs must be used.
Can anyone confirm if this is a case?
Logs and config files below.
My domain name has been replaced with _contoso.com [1]_ for
confidentiality sake.
squid server- srv-_squid.contoso.com [2]_ / 3.3.3.201
uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
exchange server - exch.contoso.com [3] / 10.2.2.30
SSL certificate:
obtained from StartSSL for mail.contoso.com [4]
SQUID.CONF
#### START
visible_hostname mail.contoso.com [4]
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h"
"%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
### "cert" should contain Exchange certificate and key
### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 [5] accel
cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem
defaultsite=mail.contoso.com [4]
key=/home/kk/ssl/cert-mail/mail.contoso.com.key
cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query
originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER
connection-auth=on name=Exchange
acl exch_url url_regex -i mail.contoso.com/owa [6]
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
[7]
acl exch_url url_regex -i mail.contoso.com/rpc [8]
cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all
###END
ERROR
cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13| Finished. Wrote 0 entries.
2016/11/05 08:52:13| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port
3.3.3.201:443 [9]
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0
SQUID - compiled from sources
squid -v
Squid Cache: Version 3.5.22
Service Name: squid
configure options: '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3'
'--sysconfdir=/etc/squid3' '--with-logdir=/var/log'
'--with-pidfile=/var/run/squid3.pid' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi'
'--enable-ssl' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-ssl' '--disable-ipv6'
'--with-openssl' --enable-ltdl-convenience
Appreciate any feedback
Cheers
Konrad
Links:
------
[1] http://contoso.com
[2] http://squid.contoso.com
[3] http://exch.contoso.com
[4] http://mail.contoso.com
[5] http://mail.contoso.com:443
[6] http://mail.contoso.com/owa
[7] http://mail.contoso.com/microsoft-server-activesync
[8] http://mail.contoso.com/rpc
[9] http://3.3.3.201:443
Hi,
Sorry, if my questions would appear naive, but:
1. Does your certificate signed by StartSSL CA
(/home/kk/ssl/cert-mail/mail.contoso.com.pem) corresponds to your
private key (/home/kk/ssl/cert-mail/mail.contoso.com.key)?
2. Does user 'proxy' (--with-default-user=proxy) have access rights to
keys?
Garri
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
