Add trusted root ca issuer to squid

  • Hello,

    I'm using squid as a man in the middle proxy. Then I try to connect to a legitimate german website I get the following certificate error:

    Der folgende Fehler wurde beim Versuch die URL* zu holen festgestellt:

    Konnte keine sichere Verbindung zu herstellen

    The system returned:

    (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
    SSL Certficate error: certificate issuer (CA) not known: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2

    How can I add the GlobalSign root certficate to squid so that squid will accept the certificate?

    I think I have to add the certificate to the linux "ca-certificates" folder. But how can I do this within pfsense?


  • But how can I do this within pfsense?

    System- Cert. Manager?

  • Tried it but it's not working.

  • Any error messages?  Anything in System log?  This kind of stuff is why I never run squid in transparent mode.  So many hassles with certificates, especially on the client end.

  • Banned

    It is indeed so - the issuer is unknown even on non pfsense ssl bumping Squid.
    I would try something like

  • I would throw it all in the garbage and go with explicit squid + WPAD + DHCP Option 252.

  • If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

    the problem can be solve with a this shape.


    With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie:

  • @sichent This link shows what to do in CentOS or Ubuntu and clearly states (on discussion) that it is not for pfSense.

Log in to reply