Thank you. Yes, curl trusts the same wildcard certificate when it is presented by an nginx server.
John On Tue, Oct 7, 2025 at 1:52 PM Alex Rousskov <[email protected]> wrote: > > On 2025-10-07 13:21, John Brayton wrote: > > I am setting up a Squid proxy server. It needs to be available on a > > public IP address, so I need traffic between the client and the proxy > > to be secure. I have a wildcard SSL certificate from a certificate > > authority (Namecheap). I have these files: > > > > - A key file with an RSA key > > - A certificate file > > - A certificate chain file, with the signing certificates from Namecheap > > - A combined file that includes both the certificate file and the > > certificate chain file. > > > > All these files are in PEM format. I am trying to work out how to > > configure squid to use these files as expected. As it stands, I have: > > > > https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem > > When using a curl client, I issue this: > > > > curl -i -x https://[proxyhost]:8888 [website_url] > > > > I get this response: > > > > curl: (60) SSL certificate problem: unable to get local issuer certificate > > More details here: https://curl.se/docs/sslcerts.html > > > > curl failed to verify the legitimacy of the server and therefore could not > > establish a secure connection to it. To learn more about this situation and > > how to fix it, please visit the web page mentioned above. > > > > I get the same error regardless of whether website_url is an HTTP URL > > or an HTTPS URL, so I assume the issue is not the website. > > > > How do I make the squid server trusted by clients? > > Does your curl client trust Namecheap? If not, see curl documentation > mentioned in the error message you have quoted above. That documentation > explains how to make curl (and other clients) trust a certificate > authority that they do not already trust. > > The same documentation can be used to confirm that trusting Namecheap > certificate authority is enough; see --proxy-cacert command line option. > > Using `openssl s_client` or examining curl-Squid traffic with a tool > like Wireshark may help you see what certificate curl cannot validate. > Newer curl versions support `curl --write-out '%{certs}'`, but I do not > know whether `certs` write-out variable works for proxy certificates. > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
