Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid ssl filter CA issues certificates for ip, not domain

    Scheduled Pinned Locked Moved Cache/Proxy
    27 Posts 6 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1001
      last edited by

      I have been having a problem with my Squid SSL transparent filtering where I have installed the CA on my computers, it recognizes the CA, but when I go to a webpage, it says that the certificate is invalid. I looked into it, and figured out that it was because Squid is using the CA to issue certificates for the ip addresses of the websites, not the domain name. Does anybody know how to fix this?

      1 Reply Last reply Reply Quote 0
      • J
        jzzmatt
        last edited by

        I have the same problem too, my self sign cert is not recognize , i don´t use transparent proxy
        for site blocked on my squidGuard, which are https, i receive an erro like " your connection are not private"!!

        1 Reply Last reply Reply Quote 0
        • gersonofstoneG
          gersonofstone
          last edited by

          My recomendation is create new certificatte for squid

          Papu!! :V

          1 Reply Last reply Reply Quote 0
          • 1
            1001
            last edited by

            I tried creating a new CA, but it didn't work.

            1 Reply Last reply Reply Quote 0
            • gersonofstoneG
              gersonofstone
              last edited by

              What is the issue or error?

              Add a printscreen

              Papu!! :V

              1 Reply Last reply Reply Quote 0
              • 1
                1001
                last edited by

                The issue is described in my original post.

                1 Reply Last reply Reply Quote 0
                • gersonofstoneG
                  gersonofstone
                  last edited by

                  I need the printsreen

                  ;)

                  Papu!! :V

                  1 Reply Last reply Reply Quote 0
                  • 1
                    1001
                    last edited by

                    Here is the screen shot

                    ![Screen Shot 2016-07-24 at 2.31.37 PM.png](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png)
                    ![Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-24 at 2.31.37 PM.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • gersonofstoneG
                      gersonofstone
                      last edited by

                      check this, please

                      SquidVeneno is my CA for squid proxy

                      squid.png
                      squid.png_thumb

                      Papu!! :V

                      1 Reply Last reply Reply Quote 0
                      • 1
                        1001
                        last edited by

                        I changed my settings, and it now works. Thanks!

                        1 Reply Last reply Reply Quote 0
                        • gersonofstoneG
                          gersonofstone
                          last edited by

                          cool  :)

                          Papu!! :V

                          1 Reply Last reply Reply Quote 0
                          • gersonofstoneG
                            gersonofstone
                            last edited by

                            @😄:

                            check this, please

                            SquidVeneno is my CA for squid proxy

                            Papu!! :V

                            1 Reply Last reply Reply Quote 0
                            • M
                              messerchmidt
                              last edited by

                              I use a free startssl certificate for mine

                              see -> http://www.itnotes.eu/?p=3218

                              1 Reply Last reply Reply Quote 0
                              • reza3swR
                                reza3sw
                                last edited by

                                Hello friends
                                I've enabled Transparent Proxy and SSL Man In the Middle Filtering on pfsense.
                                My pfsesne version is 2.3.4-RELEASE-p1 (amd64).
                                I've implemented the following rules for HTTPS SSL.
                                SSL / MITM Mode: Splice Whitelist , Bump Otherwise
                                SSL Intercept (s): LAN
                                SSL Proxy Compatibility Mode: Modern
                                DHParams Key Size: 2048
                                CA: Self-Signed

                                I use SSL Filtering in Squid and I created a certificate in pfsense and I can login to Https through Domain Name.

                                • Tip: I have installed my certificate on the system.

                                For example, the site (https://www.roblox.com) looks like the following

                                First Photo

                                But when I log in through the IP of the same site, I get an error certificate like the one below

                                Second Photo

                                In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

                                Friends and Teachers Please advise how to resolve this issue.

                                یاد کنید مرگ را، در هم کوبنده لذات و تیره و تلخ کننده شهوات را

                                نهج البلاغه

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  @messerchmidt:

                                  I use a free startssl certificate for mine

                                  You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

                                  @reza3sw:

                                  In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

                                  0/ Stop SCREAMING!
                                  1/ Cannot see anything "like below". Post the error instead of huge letters.

                                  1 Reply Last reply Reply Quote 0
                                  • reza3swR
                                    reza3sw
                                    last edited by

                                    @doktornotor:

                                    @messerchmidt:

                                    I use a free startssl certificate for mine

                                    You cannot use any such thing, WTF. You need your own CA that's able to issue certificates on the fly for Squid.

                                    @reza3sw:

                                    In Android apps on the mobile phone, all connections are through the IP, and if I connect to the Internet via WIFI, that the Pfsense firewall is on the route, none of the programs will connect (such as a telegram)

                                    0/ Stop SCREAMING!
                                    1/ Cannot see anything "like below". Post the error instead of huge letters.

                                    I put two photos first, through the domain name of a site, I entered the site and the second image through the IP I entered that site. I entered the site successfully in the first photo, but in the second photo there is a certificate error.
                                    Also, in Android applications, such as the telegram, it uses the IP to connect to the server, and it does not provide a connection error.

                                    یاد کنید مرگ را، در هم کوبنده لذات و تیره و تلخ کننده شهوات را

                                    نهج البلاغه

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned
                                      last edited by

                                      @reza3sw:

                                      I put two photos first

                                      No idea where did you put two photos.

                                      1 Reply Last reply Reply Quote 0
                                      • reza3swR
                                        reza3sw
                                        last edited by

                                        @doktornotor:

                                        @reza3sw:

                                        I put two photos first

                                        No idea where did you put two photos.

                                        I am sorry I did not understand
                                        Probably a problem with my upload center, which is not a photo.

                                        I'm uploading again

                                        First Photo

                                        Second Photo

                                        یاد کنید مرگ را، در هم کوبنده لذات و تیره و تلخ کننده شهوات را

                                        نهج البلاغه

                                        1 Reply Last reply Reply Quote 0
                                        • reza3swR
                                          reza3sw
                                          last edited by

                                          I am able to log in to HTTPS sites if I enter the domain name successfully with the internal certificate, but if I get the IP address of that site, I get an error certificate?
                                          Why this error occurs?

                                          This problem is problematic on Android phones to enter programs such as telegrams that use HTTPS and IP, and the program does not work?
                                          Is there a way to set up an IP certificate?
                                          Because it seems that the internal certificate we create works properly with the domain name of the sites.
                                          Thank you friends

                                          یاد کنید مرگ را، در هم کوبنده لذات و تیره و تلخ کننده شهوات را

                                          نهج البلاغه

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned
                                            last edited by

                                            This is an expected and documented behaviour, and not any issue with Squid. You would get exactly the same "problem" without Squid.

                                            https://wiki.squid-cache.org/Features/MimicSslServerCert

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.