Re: [squid-users] getting a CA to take PEM format csrs

From: Jonathan Giles <[email protected]>
Date: Wed, 27 Aug 2003 10:03:05 -0400

OK I will go over the mod_ssl directions again, and test it out again.

I was able to get ssl to work before using test certs, and here is my
output...

/usr/local/squid/sbin/squid -v
Squid Cache: Version 2.5.STABLE3
configure options: --prefix=/usr/local/squid --enable-ssl

also used the ssl patch on the source then compiled.

Thanks very much for getting back so quickly!

jg

On Tuesday, August 26, 2003, at 08:07 PM, Henrik Nordstrom wrote:

> The Thawte guide for Apache mod_ssl works just fine for Squid, and
> their instructions does generate a PEM formatted CSR... and Thawte
> gives you a PEM formatted certificate back if you follow this
> procedure.
>
> The Apache guys have not confused the file formats. Apache mod_ssl
> wants PEM formatted certificates just as Squid. This is different
> from the DER format expected by many others but has the major benefit
> that the certificate can be exchanged in plain text email etc..
>
> However, if you have a CA which insists in binary DER certificates
> then OpenSSL have options to convert these to/from PEM format if
> needed.
>
>
> The error you are seeing probably means that your Squid binary is not
> SSL enabled.. what does "squid -v" say about your configure options?
> And is there any comments regarding configure options next to the
> https_port option in your squid.conf.default?
>
> Regards
> Henrik
>
>
> On Tuesday 26 August 2003 23.24, Jonathan Giles wrote:
>> hello:
>>
>> I have a working config for an https accel setup, but I have hit a
>> big problem. I have looked over the lists and have not found how
>> other people deal with this.
>>
>> I work with Thawte.com to get other certs for other https (apache)
>> servers, and they have told me they do not accept PEM anything.
>> And I understand that the csr must be in PEM for a CA to issue a
>> PEM crt. Thawte has told me it will be really hard to find a CA
>> that accepts PEM.
>>
>> How have other people here delt with this?
>>
>> Here attached is Thawte's response to my request.
>>
>> "Hi Jonathan
>>
>> The PEM format requirement is misleading, as the PEM format
>> mentioned actually refers to a standard DER format certificate, the
>> guys developing
>> the Apache standards seem to have confused the file types.
>> Therefore since
>> you are able to generate standard format CSRs, squid should also
>> work with
>> standard format certificates, even though Apache and squid are not
>> the same
>> they share the same openssl libraries.
>>
>> What error message do you receive when you restart the daemon?
>> Please send
>> us the error logs."
>>
>> Of course my logs just say Bungled conf file at the config
>>
>> Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port
>> 443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt
>> key=/etc/openssl/private/owa.clinedavis.com.key
>>
>> This is using the crt and key that was created using Thawte's
>> directions.
>>
>> Any suggestions would be greatly appreciated!
>>
>> jg
>>
>>
>>
>>
>>
>> ---=---=---
>> Jonathan Giles
>> Senior Unix Administrator
>> Cline Davis Mann
>> ---
>> Privileged/Confidential Information may be contained in this
>> message. If you are not the addressee indicated in this message
>> (or responsible for delivery of the message to such person), you
>> may not copy or deliver this message to anyone. In such case,
>> you should destroy this message and kindly notify the sender
>> by reply e-mail. Please advise immediately if you or your
>> employer do not consent to Internet e-mail of this kind.
>> Opinions, conclusions, and other information in this message
>> that do not relate to the official business of CDM shall
>> be understood as neither given nor endorsed by it.
>
> --
> Donations welcome if you consider my Free Squid support helpful.
> https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
> If you need commercial Squid support or cost effective Squid or
> firewall appliances please refer to MARA Systems AB, Sweden
> http://www.marasystems.com/, [email protected]
>
>
>
---=---=---
Jonathan Giles
Senior Unix Administrator
Cline Davis Mann

---
Privileged/Confidential Information may be contained in this
message.  If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone.  In such case,
you should destroy this message and kindly notify the sender
by reply e-mail.  Please advise immediately if you or your
employer do not consent to Internet e-mail of this kind.
Opinions, conclusions, and other information in this message
that do not relate to the official business of CDM shall
be understood as neither given nor endorsed by it.
Received on Wed Aug 27 2003 - 08:03:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:09 MST