On 2025-10-07 13:21, John Brayton wrote:
I am setting up a Squid proxy server. It needs to be available on a
public IP address, so I need traffic between the client and the proxy
to be secure. I have a wildcard SSL certificate from a certificate
authority (Namecheap). I have these files:
- A key file with an RSA key
- A certificate file
- A certificate chain file, with the signing certificates from Namecheap
- A combined file that includes both the certificate file and the
certificate chain file.
All these files are in PEM format. I am trying to work out how to
configure squid to use these files as expected. As it stands, I have:
https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem
When using a curl client, I issue this:
curl -i -x https://[proxyhost]:8888 [website_url]
I get this response:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I get the same error regardless of whether website_url is an HTTP URL
or an HTTPS URL, so I assume the issue is not the website.
How do I make the squid server trusted by clients?
Does your curl client trust Namecheap? If not, see curl documentation
mentioned in the error message you have quoted above. That documentation
explains how to make curl (and other clients) trust a certificate
authority that they do not already trust.
The same documentation can be used to confirm that trusting Namecheap
certificate authority is enough; see --proxy-cacert command line option.
Using `openssl s_client` or examining curl-Squid traffic with a tool
like Wireshark may help you see what certificate curl cannot validate.
Newer curl versions support `curl --write-out '%{certs}'`, but I do not
know whether `certs` write-out variable works for proxy certificates.
HTH,
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
