[squid-users] SSL reverse proxy cert error

Amos Jeffries

2018-09-05 04:31:55 UTC

Post by Hariharan Sethuraman
Hi All,
I have my https_port 443 in reverse proxy. When client sends a GET
request, the rewrite correctly rewrites the URL and that rewritten GET
request fails with below error.
2018/09/05 03:03:38| Error negotiating SSL on FD 15: error:14007086:SSL
routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
I dont where to add the trusted certificates, because I dont know where
to specify the trusted certificates in /etc/ssl/certs directory.
I have two ways to support:
1) I may have cache_peer parent proxy (next proxy to internet)

For reverse-proxy the peer should be (or be towards) the origin. Not
towards the public Internet.

Use the cache_peer tls-ca= option to tell Squid which specific CA that
peer/origin is supposed to be using.

Post by Hariharan Sethuraman
2) I dont need to give any parent proxy (because this host is connected
to internet without next proxy)

For connections directly to the Internet (which reverse-proxy cannot
make without being forced) the global "Trusted CA" are used by default,
there is nothing to be done in that regard.

You can choose to disable them with:

tls_outgoing_options default-ca=off

If you need to make Squid trust a specific CA which is not one of the
global trusted set (eg private for your use, or self-signed) then use:

tls_outgoing_options cafile=/path/to/ca.pem

You can also combine the above settings so only a few global CA which
you actually trust get loaded. The cafile= option can be repeated in
Squid-4 to load multiple CA details.

Amos