Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid SSL serverkey.pem problem

    Scheduled Pinned Locked Moved Cache/Proxy
    15 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      There is no place to select anything intermediate there.

      1 Reply Last reply Reply Quote 0
      • A Offline
        afbkk
        last edited by

        @doktornotor:

        There is no place to select anything intermediate there.

        Well it's really not a difference whether I choose root CA or intermediate CA, is it?

        1 Reply Last reply Reply Quote 0
        • D Offline
          doktornotor Banned
          last edited by

          Yes, but you are confusing the hell out of me talking about a field that does not exist.

          The code takes the key and cert "as is" from the cert manager. Re-import the CA(s) and fix the private key in the Cert Manager, or get the feature fixed so that it replaces the linebreaks on import.

          https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1123
          https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1167

          It works just fine with CAs generated on pfSense itself.

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            To make it really clear and readable, this is what Squid does with the CA/private key:

            
            require_once("certs.inc");
            $settings = $config['installedpackages']['squid']['config'][0];
            $crt_pk = "/tmp/serverkey.pem";
            $srv_cert = lookup_ca($settings["dca"]);
            if (base64_decode($srv_cert['prv'])) {
            	file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt']));
            }
            printf(file_get_contents($crt_pk));
            
            

            Now, you can run it from Diagnostics - Command Prompt and see what you get. (The file will end up in /tmp/serverkey.pem so you can download it as well and look at what it produced.)

            IOW: This Cert Manager code should replace the DOS line endings \r\n crap  with \n. In fact, every textarea input on pfSense should do the same, automatically, without any need to do anything at all with the stuff stored in config.xml for it to be usable. Tired of hacking around it in packages.

            
            $ grep sq_text_area_decode /usr/local/pkg/squid*.inc | wc -l
                  20
            
            

            Absurd. I thought I'd file a bug, but I already did. Rotting there for 1,5 years. https://redmine.pfsense.org/issues/5306

            1 Reply Last reply Reply Quote 0
            • A Offline
              afbkk
              last edited by

              OK, so the php code you've supplied produced the very same \r\n as squid does. Now I've tried to reinsert CA in cert manager, with double-checking there are no such nonsense. It didn't help though. Is there any workaround yet? There is already this function there in squid.inc:

              
              /* Handle base64 encoding and linebreaks in textarea configuration fields */
              function sq_text_area_decode($text) {
              	return preg_replace('/\r\n/', "\n", base64_decode($text));
              }
              
              

              Also, I've checked the bug #5306 you filed some time ago now, you have the link there, but it's not functional anymore:

              https://github.com/doktornotor/pfsense-packages/blob/patch-2/config/squid3/34/squid.inc#L85

              Thanks!

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by

                The link was to what I once again linked above.  The code in Squid takes CA cert/key as stored in config.xml, base64_decode()s it (incl. any DOS linebreaks) and plops the key and cert together in one file.

                If you want to fix the CA manager, put the preg_replace to the (once again already linked) CA Manager code:

                
                base64_encode(preg_replace('/\r\n/', "\n", $pconfig['cert']));
                base64_encode(preg_replace('/\r\n/', "\n", $pconfig['key']));
                
                

                Otherwise, you might want to use a usable Windows editor, such as Notepad++, to fix linebreaks and paste the cert/key.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  afbkk
                  last edited by

                  Thanks.

                  FYI, I have Ubuntu on my desktop, and all copy-paste has been done from vim :-)

                  Anyway, thanks for your time.

                  JK

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    doktornotor Banned
                    last edited by

                    Huh, was the certificates generated on Windows, or what?

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      afbkk
                      last edited by

                      Nope, all certificates have been generated by openssl on centos6.

                      JK

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        malinmad
                        last edited by

                        Hi,

                        I know this is a old topic but there was no answer and that is a very frustrating bug that I've also faced… I have 17 PFSENSE firewalls on the field (mostly same version 2.3.2-RELEASE (amd64) ) and this bug appears randomly on some of them.

                        Saving the "Squid" config will break the certificate file "serverkey.pem" by adding "^M" at the end of each line and squid will refuse to launch...

                        Recreating the certificate in "certificate manager" does not fix the issue. (Tried copying certdata from notepad++ and other means...)

                        Here is how I temporarily fixed my issue:
                        1-I modify the "serverkey.pem" file with vi to remove all "^M" and validate that SQUID can start
                        2-I run the following command to make the file immutable (cannot be changed) (in SHELL):
                        chflags schg serverkey.pem
                        3-When I click "SAVE" in "SQUID CONFIGS", now PFSENSE can't modify the file anymore and can't break SQUID and prevent it from starting...

                        This is OK for me as my certificate will only expire in 10years... Also, I've also documented where I had to put that workaround... However, a definitive fix would be awesome... Maybe there is something I am missing...

                        Kind regards,

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.