[squid-users] ssl_crtd exited, How to debug from John Xue on 2013-08-25 (squid-users)

From: John Xue <xgxjohn_at_gmail.com>
Date: Mon, 26 Aug 2013 10:41:50 +0800

ssl_crtd crash and restart squid often appears in old my
squid3.2.3, after upgrade to 3.2.13. This situation continues, twice a
day or so, but will not lead to restart.

In my squid3.2.13 cache log, double ssl_crtd exited everytime:
(ssl_crtd): Cannot create ssl certificate or private key.
2013/08/26 09:16:17 kid1| WARNING: ssl_crtd #2 exited
2013/08/26 09:16:17 kid1| Too few ssl_crtd processes are running (need 3/32)
2013/08/26 09:16:17 kid1| Starting new helpers
2013/08/26 09:16:17 kid1| helperOpenServers: Starting 3/32 'ssl_crtd' processes
(ssl_crtd): Cannot create ssl certificate or private key.
2013/08/26 09:16:18 kid1| "ssl_crtd" helper return <NULL> reply
2013/08/26 09:16:18 kid1| WARNING: ssl_crtd #1 exited
2013/08/26 09:16:18 kid1| Too few ssl_crtd processes are running (need 3/32)
2013/08/26 09:16:18 kid1| Starting new helpers
2013/08/26 09:16:18 kid1| helperOpenServers: Starting 3/32 'ssl_crtd' processes
2013/08/26 09:16:18 kid1| "ssl_crtd" helper return <NULL> reply

My Conf:

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
key=/usr/local/squid/etc/key.pem

ssl_bump deny localhost
#some site I don't want to ssl_bump
ssl_bump deny brokenssldst
ssl_bump deny denysslbumpsite
ssl_bump allow all

#some site with broken certificate, but I need to ssl_bump
sslproxy_cert_error allow brokensslsite
sslproxy_cert_error deny all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/ssldb -M 4MB -b 4096
sslcrtd_children 32 startup=5 idle=3

#running another simple squid on localhost for local and another squid.
cache_peer server1.***.*** parent 3129 0 no-query no-digest no-netdb-exchange

# I allow ssl bumped connections through parrent proxy through modify
forward.cc for myself. Because I think local to local is safe.
nonhierarchical_direct off
prefer_direct off
#if those site I don't want to ssl_bump, must directly out.
always_direct allow brokensslsite
never_direct allow all

I don't know why ssl_crtd exited, and how to set up debug level? I
can't find any ssl_crtd debug level document. Related to allow ssl
bumped connections through parrent proxy?

-- 
Regards,
John Xue

Received on Mon Aug 26 2013 - 02:41:57 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 26 2013 - 12:00:14 MDT