SQUID 5.6 on FreeBSD-aarch64 problems

[bsaidus]

Hello,
I've installed squid 5.6 package on my Raspberry 4. By default it start normally, but when I try to configure it to handle SSL it give me an error message :

root@uc1:~ # service squid start
Starting squid.
2022/08/13 22:53:30| FATAL: No valid signing certificate configured for HTTP_port [::]:3128
2022/08/13 22:53:30| Squid Cache (Version 5.6): Terminated abnormally.
CPU Usage: 0.160 seconds = 0.144 user + 0.016 sys
Maximum Resident Size: 59616 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid

This is the commande line for creating certificates

/usr/bin/openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -subj "/C=DZ/ST=BEJAIA/L=BEJAIA/O=UCCEN/CN=uc.net" -keyout /uc/cssl/uc_proxyCA.pem -out /uc/cssl/uc_proxyCA.pem

and here is the squid.conf

# generated : %date%
########################################################################################
# from squid.conf.sample
########################################################################################
acl localnet src 192.168.192.0/24  # RFC 1918 local private network (LAN) {%IpNet%}

acl SSL_ports  port 443            # SSL (https)
acl Safe_ports port 80             # http
acl Safe_ports port 21             # ftp
acl Safe_ports port 443            # https
acl Safe_ports port 70             # gopher
acl Safe_ports port 210            # wais
acl Safe_ports port 1025-65535     # unregistered ports
acl Safe_ports port 280            # http-mgmt
acl Safe_ports port 488            # gss-http
acl Safe_ports port 591            # filemaker
acl Safe_ports port 777            # multiling http
acl CONNECT method CONNECT


visible_hostname    uc1.uc.org
dns_nameservers 8.8.8.8


#acl step1 at_step SslBump1

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access allow manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# %user_rules%

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

http_port 3128 ssl-bump \
   cert=/uc/cssl/certs/uc_proxyCA.pem \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /uc/cssl/db -M 4MB

tls_outgoing_options cafile=/uc/cssl/cacert.pem
# tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
# tls_outgoing_options cafile=/usr/local/share/cert/


#url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf \
#    url_rewrite_bypass %off% \
#    url_rewrite_children %8% \
#    startup=%4% \
#    idle=%4_0% \
#    concurrency=%0% \
#    forward_max_tries %25%


#always_direct allow all
#sslproxy_cert_error allow all
# acl step1 at_step SslBump1
# ssl_bump splice localhost
# ssl_bump peek step1
#ssl_bump splice direct_host
# ssl_bump bump all


cache_mem 128 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache

refresh_pattern ^ftp:                  1440               20%               10080
refresh_pattern ^gopher:               1440                0%                1440
refresh_pattern -i (/cgi-bin/|\?)         0                0%                   0
refresh_pattern .                         0               20%                4320

So, Why it do not start, The configuration above works well in FreeBSD12-aarch64 with SQUID 4.
Thank you for Help.

 

[SirDice]

This is the commande line for creating certificates

That command creates a certificate signing request aka CSR. That CSR will need to be signed by a CA or certificate authority. That results in a usable certificate (a CRT). You've configured Squid to use the CSR as a certificate, which is not going to work.

 

[bsaidus]

That command creates a certificate signing request aka CSR. That CSR will need to be signed by a CA or certificate authority. That results in a usable certificate (a CRT). You've configured Squid to use the CSR as a certificate, which is not going to work.

Thank you SirDice ,
Could you point me to a tutorial for generating and making Squid works.
Thanks you.

 

[SirDice]

It's not Squid that's configured incorrectly. You've messed up the certificates, that's all.

 

[bsaidus]

It's not Squid that's configured incorrectly. You've messed up the certificates, that's all

frankly, I do not understand anything.
I've generated the 'uc_proxyCA.pem' certificate and put it in the adequate folder, squid own it with chown command.
Downloaded 'cacert.pem' from https://curl.se/, squid also own it.
What are the certificate you are talking about ??
I've see many tuto's on the net that looks like my config.
I do not understand anything. I think that SQUID 5 change something.

 

[SirDice]

I've generated the 'uc_proxyCA.pem' certificate

No, you generated a "certificate signing request", not a certificate. That certificate signing request needs to be signed by a CA. Then you will have a certificate.

 

[bsaidus]

Hello SirDice .
You know, I generate certificates and all configuration using php script. So when I configure manually, it works, but when I use script, I do not.
Strange, very strange. All commands executed manually are copied from the script ( copy/past to command prompt).
?