Discussion:
[squid-users] Need assistance debugging Squid error: ssl_ctrd helpers crashing too quickly
Rohit Sodhia
2017-09-11 17:50:53 UTC
Permalink
I've been trying to setup a Squid box to bump SSL requests via the tutorial
on the Squid site and
https://stackoverflow.com/questions/34398484/can-i-use-squid-to-upgrade-client-tls-connections

Unfortunately, when I run it, I get the following errors in my squid logs:

Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.031 seconds = 0.026 user + 0.005 sys
Maximum Resident Size: 71792 KB
Page faults with physical i/o: 0
2017/09/11 12:42:19 kid1| Current Directory is /
2017/09/11 12:42:19 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2017/09/11 12:42:19 kid1| Service Name: squid
2017/09/11 12:42:19 kid1| Process ID 1711
2017/09/11 12:42:19 kid1| Process Roles: worker
2017/09/11 12:42:19 kid1| With 16384 file descriptors available
2017/09/11 12:42:19 kid1| Initializing IP Cache...
2017/09/11 12:42:19 kid1| DNS Socket created at [::], FD 6
2017/09/11 12:42:19 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/09/11 12:42:19 kid1| Adding domain marvel.nyc.ent from /etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.21.20.200 from
/etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.21.20.201 from
/etc/resolv.conf
2017/09/11 12:42:19 kid1| Adding nameserver 172.20.102.201 from
/etc/resolv.conf
2017/09/11 12:42:19 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory:
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
2017/09/11 12:42:19 kid1| Logfile: opening log
stdio:/var/log/squid/access.log
2017/09/11 12:42:19 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2017/09/11 12:42:19 kid1| Store logging disabled
2017/09/11 12:42:19 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects
2017/09/11 12:42:19 kid1| Target number of buckets: 1008
2017/09/11 12:42:19 kid1| Using 8192 Store buckets
2017/09/11 12:42:19 kid1| Max Mem size: 262144 KB
2017/09/11 12:42:19 kid1| Max Swap size: 0 KB
2017/09/11 12:42:19 kid1| Using Least Load store dir selection
2017/09/11 12:42:19 kid1| Current Directory is /
2017/09/11 12:42:19 kid1| Finished loading MIME types and icons.
2017/09/11 12:42:19 kid1| HTCP Disabled.
2017/09/11 12:42:19 kid1| Squid plugin modules loaded: 0
2017/09/11 12:42:19 kid1| Adaptation support is off.
2017/09/11 12:42:19 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 21 flags=9
2017/09/11 12:42:19 kid1| WARNING: ssl_crtd #Hlpr1 exited
2017/09/11 12:42:19 kid1| Too few ssl_crtd processes are running (need 1/32)
2017/09/11 12:42:19 kid1| Closing HTTP port [::]:3128
2017/09/11 12:42:19 kid1| storeDirWriteCleanLogs: Starting...
2017/09/11 12:42:19 kid1| Finished. Wrote 0 entries.
2017/09/11 12:42:19 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

I ran the ssl_crtd command, though that didn't help. From google, it seems
other people have had this error, but I can't find a solution and hope
someone may be able to advise me.

Thank you for any assistance.
Rohit Sodhia
Yuri
2017-09-11 18:17:24 UTC
Permalink
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
Rohit Sodhia
2017-09-11 18:21:04 UTC
Permalink
Yes, but telling me it's crashing unfortunately doesn't help me figure out
why or how to fix it. I've run the command it suggests but it doesn't help.
I'm unfortunately not an ops guy familiar with this kind of stuff; I don't
see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 18:22:26 UTC
Permalink
Show output of

ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing unfortunately doesn't help me figure
out why or how to fix it. I've run the command it suggests but it
doesn't help. I'm unfortunately not an ops guy familiar with this kind
of stuff; I don't see anything on how to figure out what to do about it.
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 18:23:29 UTC
Permalink
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me figure out
why or how to fix it. I've run the command it suggests but it doesn't help.
I'm unfortunately not an ops guy familiar with this kind of stuff; I don't
see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 18:25:27 UTC
Permalink
Here you root of problem.

Should be (on my setups):

# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size

I.e. Squid has no access to SSL cache dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing unfortunately doesn't help me
figure out why or how to fix it. I've run the command it suggests
but it doesn't help. I'm unfortunately not an ops guy familiar
with this kind of stuff; I don't see anything on how to figure
out what to do about it.
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 18:30:08 UTC
Permalink
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set it
up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says

/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db

If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me figure
out why or how to fix it. I've run the command it suggests but it doesn't
help. I'm unfortunately not an ops guy familiar with this kind of stuff; I
don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 18:33:26 UTC
Permalink
Most probably you squid runs as another user than squid.

Check your squid.conf for cache_effective_user and cache_effective_group
values.

Then change SSL cache permissions to this values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
set it up like that. I changed the owner and group to squid:squid and
tried restarting squid, but still get the same errors. I thought to
run the command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing unfortunately doesn't help
me figure out why or how to fix it. I've run the command it
suggests but it doesn't help. I'm unfortunately not an ops
guy familiar with this kind of stuff; I don't see anything
on how to figure out what to do about it.
It tells you what's happens.
Post by Rohit Sodhia
(ssl_crtd): Uninitialized SSL certificate database
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 18:36:02 UTC
Permalink
Neither of those values are set in my config. Even though I'm not using
squid for caching, I need those values? They aren't set in the default
configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and cache_effective_group
values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set
it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me figure
out why or how to fix it. I've run the command it suggests but it doesn't
help. I'm unfortunately not an ops guy familiar with this kind of stuff; I
don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 18:39:21 UTC
Permalink
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.

Ah, yes:

#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
#Default:
# cache_effective_user nobody

#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account

As documented. :)

AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.

Then change owner recursively on SSL cache to this user.
Post by Rohit Sodhia
Neither of those values are set in my config. Even though I'm not
using squid for caching, I need those values? They aren't set in the
default configs either.
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and
it set it up like that. I changed the owner and group to
squid:squid and tried restarting squid, but still get the same
errors. I thought to run the command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing unfortunately doesn't
help me figure out why or how to fix it. I've run the
command it suggests but it doesn't help. I'm
unfortunately not an ops guy familiar with this kind of
stuff; I don't see anything on how to figure out what
to do about it.
On Mon, Sep 11, 2017 at 2:17 PM, Yuri
It tells you what's happens.
Post by Rohit Sodhia
(ssl_crtd): Uninitialized SSL certificate
/var/lib/ssl_db. To initialize, run "ssl_crtd -c
-s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 18:42:18 UTC
Permalink
I'll try that immediately, thanks! I appreciate all your advice; hopefully
I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not using
squid for caching, I need those values? They aren't set in the default
configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and cache_effective_group
values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set
it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me figure
out why or how to fix it. I've run the command it suggests but it doesn't
help. I'm unfortunately not an ops guy familiar with this kind of stuff; I
don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Rohit Sodhia
2017-09-11 19:23:42 UTC
Permalink
Unfortunately, no luck yet. Thank you again for your help before.

I found that the user squid and group squid existed already, so I added

cache_effective_user squid
cache_effective_group squid

to my config (first two lines), made sure /var/lib/ssl_db and it's contents
were set to squid:squid and restarted the service, but I'm still getting
the same error :(
Post by Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice; hopefully
I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not using
squid for caching, I need those values? They aren't set in the default
configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and cache_effective_group
values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it set
it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me figure
out why or how to fix it. I've run the command it suggests but it doesn't
help. I'm unfortunately not an ops guy familiar with this kind of stuff; I
don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 19:41:32 UTC
Permalink
Well. Let's check more deep.

Show me parameter sslcrtd_program in your squid.conf
Post by Rohit Sodhia
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and it's
contents were set to squid:squid and restarted the service, but I'm
still getting the same error :(
I'll try that immediately, thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p
I'm not Linux fanboy, but modern squid never runs as root. So,
most probably it runs as nobody user.
#  TAG: cache_effective_user
#    If you start Squid as root, it will change its effective/real
#    UID/GID to the user specified below.  The default is to
change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody
#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default group ID
#    (taken from the password file) and supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID regardless of
#    the group memberships of the effective user then set this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are ignored
#    and only this GID is effective. If Squid is not started as
#    root the user starting Squid MUST be member of the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a secure
#    user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user
(like squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Post by Rohit Sodhia
Neither of those values are set in my config. Even though I'm
not using squid for caching, I need those values? They aren't
set in the default configs either.
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum (it's a CentOS
7 VB) and it set it up like that. I changed the owner
and group to squid:squid and tried restarting squid, but
still get the same errors. I thought to run the command
again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there
possibly other permission issues?
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size
On Mon, Sep 11, 2017 at 2:22 PM, Yuri
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing
unfortunately doesn't help me figure out why
or how to fix it. I've run the command it
suggests but it doesn't help. I'm
unfortunately not an ops guy familiar with
this kind of stuff; I don't see anything on
how to figure out what to do about it.
On Mon, Sep 11, 2017 at 2:17 PM, Yuri
It tells you what's happens.
Post by Rohit Sodhia
(ssl_crtd): Uninitialized SSL
/var/lib/ssl_db. To initialize, run
"ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 19:58:12 UTC
Permalink
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

I used the line from the Stack Overflow question I linked earlier.
Post by Yuri
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and it's
contents were set to squid:squid and restarted the service, but I'm still
getting the same error :(
Post by Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not using
squid for caching, I need those values? They aren't set in the default
configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
set it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me
figure out why or how to fix it. I've run the command it suggests but it
doesn't help. I'm unfortunately not an ops guy familiar with this kind of
stuff; I don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 20:02:39 UTC
Permalink
Wait. Squid 3.5.20? So ancient?
Post by Rohit Sodhia
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Post by Rohit Sodhia
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and
it's contents were set to squid:squid and restarted the service,
but I'm still getting the same error :(
On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your
advice; hopefully I won't have to reach out again :p
I'm not Linux fanboy, but modern squid never runs as
root. So, most probably it runs as nobody user.
#  TAG: cache_effective_user
#    If you start Squid as root, it will change its
effective/real
#    UID/GID to the user specified below.  The default is
to change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody
#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's default
group ID
#    (taken from the password file) and supplementary
group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID
regardless of
#    the group memberships of the effective user then set
this
#    to the group (or GID) you want Squid to run as. When set
#    all other group privileges of the effective user are
ignored
#    and only this GID is effective. If Squid is not
started as
#    root the user starting Squid MUST be member of the
specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to configure a
secure
#    user account for squid with UID/GID matching system
policies.
# Use system group memberships of the
cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user
(like squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Post by Rohit Sodhia
Neither of those values are set in my config. Even
though I'm not using squid for caching, I need those
values? They aren't set in the default configs either.
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values.
Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum (it's a
CentOS 7 VB) and it set it up like that. I changed
the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I
thought to run the command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create
/var/lib/ssl_db
If this folder has incorrect permissions are there
possibly other permission issues?
On Mon, Sep 11, 2017 at 2:25 PM, Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37
index.txt
-rw-r--r-- 1 squid squid      7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir
structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11 12:42 certs
-rw-r--r--.  1 root root    0 Sep 11 12:42
index.txt
-rw-r--r--.  1 root root    1 Sep 11 12:42 size
On Mon, Sep 11, 2017 at 2:22 PM, Yuri
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing
unfortunately doesn't help me figure out
why or how to fix it. I've run the
command it suggests but it doesn't help.
I'm unfortunately not an ops guy familiar
with this kind of stuff; I don't see
anything on how to figure out what to do
about it.
On Mon, Sep 11, 2017 at 2:17 PM, Yuri
It tells you what's happens.
Post by Rohit Sodhia
(ssl_crtd): Uninitialized SSL
/var/lib/ssl_db. To initialize, run
"ssl_crtd -c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 20:05:03 UTC
Permalink
I'll try to find it, but I read a few articles/SO questions that suggested
there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be
glad to go forward. Should I be removing the yum squid package and compile
my own? Is 3.5 problematic besides being old?
Post by Yuri
Wait. Squid 3.5.20? So ancient?
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Post by Yuri
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and it's
contents were set to squid:squid and restarted the service, but I'm still
getting the same error :(
Post by Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not using
squid for caching, I need those values? They aren't set in the default
configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
set it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me
figure out why or how to fix it. I've run the command it suggests but it
doesn't help. I'm unfortunately not an ops guy familiar with this kind of
stuff; I don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 20:07:44 UTC
Permalink
Seems latest 4.0.21 is good enough. Most critical SSL-related bugs
almost closed or closed.

At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.

Repositories software sometimes has strange quirks, or sometimes rancid.
Post by Rohit Sodhia
I'll try to find it, but I read a few articles/SO questions that
suggested there were bugs in 4 relating to SSL bumping? If they were
wrong, I'd be glad to go forward. Should I be removing the yum squid
package and compile my own? Is 3.5 problematic besides being old?
Wait. Squid 3.5.20? So ancient?
Post by Rohit Sodhia
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Post by Rohit Sodhia
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db
and it's contents were set to squid:squid and restarted the
service, but I'm still getting the same error :(
On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your
advice; hopefully I won't have to reach out again :p
I'm not Linux fanboy, but modern squid never runs as
root. So, most probably it runs as nobody user.
#  TAG: cache_effective_user
#    If you start Squid as root, it will change its
effective/real
#    UID/GID to the user specified below.  The
default is to change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody
#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's
default group ID
#    (taken from the password file) and
supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific GID
regardless of
#    the group memberships of the effective user
then set this
#    to the group (or GID) you want Squid to run as.
When set
#    all other group privileges of the effective
user are ignored
#    and only this GID is effective. If Squid is not
started as
#    root the user starting Squid MUST be member of
the specified
#    group.
#
#    This option is not recommended by the Squid Team.
#    Our preference is for administrators to
configure a secure
#    user account for squid with UID/GID matching
system policies.
# Use system group memberships of the
cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group &
user (like squid/squid) and set both this parameters
explicity.
Then change owner recursively on SSL cache to this user.
Post by Rohit Sodhia
Neither of those values are set in my config. Even
though I'm not using squid for caching, I need
those values? They aren't set in the default
configs either.
On Mon, Sep 11, 2017 at 2:33 PM, Yuri
Most probably you squid runs as another user
than squid.
Check your squid.conf for cache_effective_user
and cache_effective_group values.
Then change SSL cache permissions to this
values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum (it's
a CentOS 7 VB) and it set it up like that. I
changed the owner and group to squid:squid and
tried restarting squid, but still get the same
errors. I thought to run the command again,
but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create
/var/lib/ssl_db
If this folder has incorrect permissions are
there possibly other permission issues?
On Mon, Sep 11, 2017 at 2:25 PM, Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep  5 00:53 .
drwxr-xr-x 8 root  other      8 Sep  5
00:53 ..
drwxr-xr-x 2 squid squid    454 Sep 11
23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11
23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep 11
23:37 size
I.e. Squid has no access to SSL cache dir
structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11
12:42 certs
-rw-r--r--.  1 root root    0 Sep 11
12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11
12:42 size
On Mon, Sep 11, 2017 at 2:22 PM, Yuri
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's crashing
unfortunately doesn't help me figure
out why or how to fix it. I've run
the command it suggests but it
doesn't help. I'm unfortunately not
an ops guy familiar with this kind
of stuff; I don't see anything on
how to figure out what to do about it.
On Mon, Sep 11, 2017 at 2:17 PM,
It tells you what's happens.
11.09.2017 23:50, Rohit Sodhia
Post by Rohit Sodhia
(ssl_crtd): Uninitialized SSL
/var/lib/ssl_db. To
initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 20:15:23 UTC
Permalink
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
problem?
Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
running.
Repositories software sometimes has strange quirks, or sometimes rancid.
I'll try to find it, but I read a few articles/SO questions that suggested
there were bugs in 4 relating to SSL bumping? If they were wrong, I'd be
glad to go forward. Should I be removing the yum squid package and compile
my own? Is 3.5 problematic besides being old?
Post by Yuri
Wait. Squid 3.5.20? So ancient?
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Post by Yuri
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and it's
contents were set to squid:squid and restarted the service, but I'm still
getting the same error :(
Post by Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not
using squid for caching, I need those values? They aren't set in the
default configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
set it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me
figure out why or how to fix it. I've run the command it suggests but it
doesn't help. I'm unfortunately not an ops guy familiar with this kind of
stuff; I don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 20:17:38 UTC
Permalink
Hardly,

most probably something in repo's package. However, upgrade is always
recommended, especially with modern functionality. It changes fast enough.
Post by Rohit Sodhia
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of
the problem?
Seems latest 4.0.21 is good enough. Most critical SSL-related bugs
almost closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.
Repositories software sometimes has strange quirks, or sometimes rancid.
Post by Rohit Sodhia
I'll try to find it, but I read a few articles/SO questions that
suggested there were bugs in 4 relating to SSL bumping? If they
were wrong, I'd be glad to go forward. Should I be removing the
yum squid package and compile my own? Is 3.5 problematic besides
being old?
Wait. Squid 3.5.20? So ancient?
Post by Rohit Sodhia
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Post by Rohit Sodhia
Unfortunately, no luck yet. Thank you again for your
help before.
I found that the user squid and group squid existed
already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure
/var/lib/ssl_db and it's contents were set to
squid:squid and restarted the service, but I'm still
getting the same error :(
On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
I'll try that immediately, thanks! I appreciate all
your advice; hopefully I won't have to reach out
again :p
On Mon, Sep 11, 2017 at 2:39 PM, Yuri
I'm not Linux fanboy, but modern squid never
runs as root. So, most probably it runs as
nobody user.
#  TAG: cache_effective_user
#    If you start Squid as root, it will change
its effective/real
#    UID/GID to the user specified below.  The
default is to change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody
#  TAG: cache_effective_group
#    Squid sets the GID to the effective user's
default group ID
#    (taken from the password file) and
supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a specific
GID regardless of
#    the group memberships of the effective
user then set this
#    to the group (or GID) you want Squid to
run as. When set
#    all other group privileges of the
effective user are ignored
#    and only this GID is effective. If Squid
is not started as
#    root the user starting Squid MUST be
member of the specified
#    group.
#
#    This option is not recommended by the
Squid Team.
#    Our preference is for administrators to
configure a secure
#    user account for squid with UID/GID
matching system policies.
# Use system group memberships of the
cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged
group & user (like squid/squid) and set both
this parameters explicity.
Then change owner recursively on SSL cache to
this user.
Post by Rohit Sodhia
Neither of those values are set in my config.
Even though I'm not using squid for caching, I
need those values? They aren't set in the
default configs either.
On Mon, Sep 11, 2017 at 2:33 PM, Yuri
Most probably you squid runs as another
user than squid.
Check your squid.conf for
cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this
values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used yum
(it's a CentOS 7 VB) and it set it up
like that. I changed the owner and group
to squid:squid and tried restarting
squid, but still get the same errors. I
thought to run the command again, but
this time it says
/usr/lib64/squid/ssl_crtd: Cannot create
/var/lib/ssl_db
If this folder has incorrect permissions
are there possibly other permission issues?
On Mon, Sep 11, 2017 at 2:25 PM, Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5 Sep 
5 00:53 .
drwxr-xr-x 8 root  other      8 Sep 
5 00:53 ..
drwxr-xr-x 2 squid squid    454 Sep
11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep
11 23:37 index.txt
-rw-r--r-- 1 squid squid      7 Sep
11 23:37 size
I.e. Squid has no access to SSL cache
dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48 Sep 11
12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11
12:42 ..
drwxr-xr-x.  2 root root    6 Sep 11
12:42 certs
-rw-r--r--.  1 root root    0 Sep 11
12:42 index.txt
-rw-r--r--.  1 root root    1 Sep 11
12:42 size
On Mon, Sep 11, 2017 at 2:22 PM,
Show output of
ls -al /var/lib/ssl_db
Post by Rohit Sodhia
Yes, but telling me it's
crashing unfortunately doesn't
help me figure out why or how
to fix it. I've run the command
it suggests but it doesn't
help. I'm unfortunately not an
ops guy familiar with this kind
of stuff; I don't see anything
on how to figure out what to do
about it.
On Mon, Sep 11, 2017 at 2:17
It tells you what's happens.
11.09.2017 23:50, Rohit
Post by Rohit Sodhia
(ssl_crtd): Uninitialized
SSL certificate database
Post by Rohit Sodhia
/var/lib/ssl_db. To
initialize, run "ssl_crtd
-c -s /var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Rohit Sodhia
2017-09-11 20:18:39 UTC
Permalink
Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so guess
I'll have to learn how to compile it myself; never compiled a package
before.
Post by Yuri
Hardly,
most probably something in repo's package. However, upgrade is always
recommended, especially with modern functionality. It changes fast enough.
Ah. I'm on 3.5.20; not sure how far back that is. Is that the core of the
problem?
Seems latest 4.0.21 is good enough. Most critical SSL-related bugs almost
closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to problem-free
running.
Repositories software sometimes has strange quirks, or sometimes rancid.
I'll try to find it, but I read a few articles/SO questions that
suggested there were bugs in 4 relating to SSL bumping? If they were wrong,
I'd be glad to go forward. Should I be removing the yum squid package and
compile my own? Is 3.5 problematic besides being old?
Post by Yuri
Wait. Squid 3.5.20? So ancient?
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I linked earlier.
Post by Yuri
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Unfortunately, no luck yet. Thank you again for your help before.
I found that the user squid and group squid existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure /var/lib/ssl_db and it's
contents were set to squid:squid and restarted the service, but I'm still
getting the same error :(
Post by Rohit Sodhia
I'll try that immediately, thanks! I appreciate all your advice;
hopefully I won't have to reach out again :p
Post by Yuri
I'm not Linux fanboy, but modern squid never runs as root. So, most
probably it runs as nobody user.
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
# cache_effective_user nobody
# TAG: cache_effective_group
# Squid sets the GID to the effective user's default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
# Use system group memberships of the cache_effective_user account
As documented. :)
AFAIK best solution is create non-privileged group & user (like
squid/squid) and set both this parameters explicity.
Then change owner recursively on SSL cache to this user.
Neither of those values are set in my config. Even though I'm not
using squid for caching, I need those values? They aren't set in the
default configs either.
Post by Yuri
Most probably you squid runs as another user than squid.
Check your squid.conf for cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to this values. Should work.
Thanks for the feedback! I just used yum (it's a CentOS 7 VB) and it
set it up like that. I changed the owner and group to squid:squid and tried
restarting squid, but still get the same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot create /var/lib/ssl_db
If this folder has incorrect permissions are there possibly other
permission issues?
Post by Yuri
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid 5 Sep 5 00:53 .
drwxr-xr-x 8 root other 8 Sep 5 00:53 ..
drwxr-xr-x 2 squid squid 454 Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575 Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid 7 Sep 11 23:37 size
I.e. Squid has no access to SSL cache dir structures.
total 8
drwxr-xr-x. 3 root root 48 Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096 Sep 11 12:42 ..
drwxr-xr-x. 2 root root 6 Sep 11 12:42 certs
-rw-r--r--. 1 root root 0 Sep 11 12:42 index.txt
-rw-r--r--. 1 root root 1 Sep 11 12:42 size
Post by Yuri
Show output of
ls -al /var/lib/ssl_db
Yes, but telling me it's crashing unfortunately doesn't help me
figure out why or how to fix it. I've run the command it suggests but it
doesn't help. I'm unfortunately not an ops guy familiar with this kind of
stuff; I don't see anything on how to figure out what to do about it.
Post by Yuri
It tells you what's happens.
Post by Rohit Sodhia
/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Yuri
2017-09-11 20:19:50 UTC
Permalink
Everything happens once for the first time;)
Post by Rohit Sodhia
Ok. Looks like 3.5.20 is the latest on the yum repo I'm using, so
guess I'll have to learn how to compile it myself; never compiled a
package before.
Hardly,
most probably something in repo's package. However, upgrade is
always recommended, especially with modern functionality. It
changes fast enough.
Post by Rohit Sodhia
Ah. I'm on 3.5.20; not sure how far back that is. Is that the
core of the problem?
Seems latest 4.0.21 is good enough. Most critical SSL-related
bugs almost closed or closed.
At least latest 3.5.27 is released. AFAIK this is minimum to
problem-free running.
Repositories software sometimes has strange quirks, or sometimes rancid.
Post by Rohit Sodhia
I'll try to find it, but I read a few articles/SO questions
that suggested there were bugs in 4 relating to SSL bumping?
If they were wrong, I'd be glad to go forward. Should I be
removing the yum squid package and compile my own? Is 3.5
problematic besides being old?
Wait. Squid 3.5.20? So ancient?
Post by Rohit Sodhia
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/var/lib/ssl_db -M 4MB
I used the line from the Stack Overflow question I
linked earlier.
On Mon, Sep 11, 2017 at 3:41 PM, Yuri
Well. Let's check more deep.
Show me parameter sslcrtd_program in your squid.conf
Post by Rohit Sodhia
Unfortunately, no luck yet. Thank you again for
your help before.
I found that the user squid and group squid
existed already, so I added
cache_effective_user squid
cache_effective_group squid
to my config (first two lines), made sure
/var/lib/ssl_db and it's contents were set to
squid:squid and restarted the service, but I'm
still getting the same error :(
On Mon, Sep 11, 2017 at 2:42 PM, Rohit Sodhia
I'll try that immediately, thanks! I
appreciate all your advice; hopefully I won't
have to reach out again :p
On Mon, Sep 11, 2017 at 2:39 PM, Yuri
I'm not Linux fanboy, but modern squid
never runs as root. So, most probably it
runs as nobody user.
#  TAG: cache_effective_user
#    If you start Squid as root, it will
change its effective/real
#    UID/GID to the user specified below. 
The default is to change
#    to UID of nobody.
#    see also; cache_effective_group
# cache_effective_user nobody
#  TAG: cache_effective_group
#    Squid sets the GID to the effective
user's default group ID
#    (taken from the password file) and
supplementary group list
#    from the groups membership.
#
#    If you want Squid to run with a
specific GID regardless of
#    the group memberships of the
effective user then set this
#    to the group (or GID) you want Squid
to run as. When set
#    all other group privileges of the
effective user are ignored
#    and only this GID is effective. If
Squid is not started as
#    root the user starting Squid MUST be
member of the specified
#    group.
#
#    This option is not recommended by the
Squid Team.
#    Our preference is for administrators
to configure a secure
#    user account for squid with UID/GID
matching system policies.
# Use system group memberships of the
cache_effective_user account
As documented. :)
AFAIK best solution is create
non-privileged group & user (like
squid/squid) and set both this parameters
explicity.
Then change owner recursively on SSL cache
to this user.
Post by Rohit Sodhia
Neither of those values are set in my
config. Even though I'm not using squid
for caching, I need those values? They
aren't set in the default configs either.
On Mon, Sep 11, 2017 at 2:33 PM, Yuri
Most probably you squid runs as
another user than squid.
Check your squid.conf for
cache_effective_user and
cache_effective_group values.
Then change SSL cache permissions to
this values. Should work.
Post by Rohit Sodhia
Thanks for the feedback! I just used
yum (it's a CentOS 7 VB) and it set
it up like that. I changed the owner
and group to squid:squid and tried
restarting squid, but still get the
same errors. I thought to run the
command again, but this time it says
/usr/lib64/squid/ssl_crtd: Cannot
create /var/lib/ssl_db
If this folder has incorrect
permissions are there possibly other
permission issues?
On Mon, Sep 11, 2017 at 2:25 PM,
Here you root of problem.
# ls -al /var/lib/ssl_db
total 326
drwxr-xr-x 3 squid squid      5
Sep  5 00:53 .
drwxr-xr-x 8 root  other      8
Sep  5 00:53 ..
drwxr-xr-x 2 squid squid    454
Sep 11 23:37 certs
-rw-r--r-- 1 squid squid 280575
Sep 11 23:37 index.txt
-rw-r--r-- 1 squid squid      7
Sep 11 23:37 size
I.e. Squid has no access to SSL
cache dir structures.
Post by Rohit Sodhia
total 8
drwxr-xr-x.  3 root root   48
Sep 11 12:42 .
drwxr-xr-x. 32 root root 4096
Sep 11 12:42 ..
drwxr-xr-x.  2 root root    6
Sep 11 12:42 certs
-rw-r--r--.  1 root root    0
Sep 11 12:42 index.txt
-rw-r--r--.  1 root root    1
Sep 11 12:42 size
On Mon, Sep 11, 2017 at 2:22
Show output of
ls -al /var/lib/ssl_db
12.09.2017 0:21, Rohit
Post by Rohit Sodhia
Yes, but telling me it's
crashing unfortunately
doesn't help me figure out
why or how to fix it. I've
run the command it
suggests but it doesn't
help. I'm unfortunately
not an ops guy familiar
with this kind of stuff; I
don't see anything on how
to figure out what to do
about it.
On Mon, Sep 11, 2017 at
2:17 PM, Yuri
It tells you what's
happens.
11.09.2017 23:50,
Uninitialized SSL
certificate database
Post by Rohit Sodhia
/var/lib/ssl_db. To
initialize, run
"ssl_crtd -c -s
/var/lib/ssl_db".
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
Amos Jeffries
2017-09-12 04:08:49 UTC
Permalink
Hi guys,

You got so close but not quite.

Rohit;

* check your running Squid to see what user account it is using. You
should not need to configure the effective user explicitly (unless it is
that 'nobody' account - best prevent that account from playing with cert
creation).

* Remove the ssl_db directory you have that was not working and create
one fresh with write permissions to the Squid user *and* group. Note
that is the top level ssl_db directory only.

* run restorecon on the new directory. This is needed for the create to
work properly when SELinux is present.

* then run the ssl_crtd command _as the Squid user account_ ("su squid"
or "sudo -i -u squid").

* run restorecon *again* on the formatted directory structure. This is
needed for the normal Squid uses to work properly when SELinux is present.


That should be all that is needed to use this helper.


As for upgrades, yes it would be a good idea regardless of this issue.
3.5.20 was July 2016 release[1] and its best not to be more than a month
or two behind with ssl-bump things. Eliezers packages[2] should be okay
if you want to avoid compiling.

[1] <http://www.squid-cache.org/Versions/v3/3.5/>
[2] <https://wiki.squid-cache.org/KnowledgeBase/RedHat> this page was
badly out of date sorry, now updated.

Amos

Loading...