On 2025-10-07 14:01, John Brayton wrote:
Yes, curl trusts the same wildcard certificate when it is
presented by an nginx server.
How do you know that curl sees the same certificate chain in both tests?
I am guessing that you have tried to use the same certificate chain in
both Squid and nginx configurations, but the question is about what curl
sees/gets.
It is unlikely that curl would receive the same certificate chain but
only trust the chain "presented by an nginx server". Most likely,
something differs in those two chains/cases. For example, nginx sends an
intermediate certificate as a part of that chain while Squid does not.
Or the order of certificates in that chain differs. The pointers in my
earlier response may help you tease out that critical difference.
HTH,
Alex.
On Tue, Oct 7, 2025 at 1:52 PM Alex Rousskov wrote:
On 2025-10-07 13:21, John Brayton wrote:
I am setting up a Squid proxy server. It needs to be available on a
public IP address, so I need traffic between the client and the proxy
to be secure. I have a wildcard SSL certificate from a certificate
authority (Namecheap). I have these files:
- A key file with an RSA key
- A certificate file
- A certificate chain file, with the signing certificates from Namecheap
- A combined file that includes both the certificate file and the
certificate chain file.
All these files are in PEM format. I am trying to work out how to
configure squid to use these files as expected. As it stands, I have:
https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem
When using a curl client, I issue this:
curl -i -x https://[proxyhost]:8888 [website_url]
I get this response:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I get the same error regardless of whether website_url is an HTTP URL
or an HTTPS URL, so I assume the issue is not the website.
How do I make the squid server trusted by clients?
Does your curl client trust Namecheap? If not, see curl documentation
mentioned in the error message you have quoted above. That documentation
explains how to make curl (and other clients) trust a certificate
authority that they do not already trust.
The same documentation can be used to confirm that trusting Namecheap
certificate authority is enough; see --proxy-cacert command line option.
Using `openssl s_client` or examining curl-Squid traffic with a tool
like Wireshark may help you see what certificate curl cannot validate.
Newer curl versions support `curl --write-out '%{certs}'`, but I do not
know whether `certs` write-out variable works for proxy certificates.
HTH,
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
