Add trusted root ca issuer to squid



  • Hello,

    I'm using squid as a man in the middle proxy. Then I try to connect to a legitimate german website I get the following certificate error:

    Der folgende Fehler wurde beim Versuch die URL https://suche.soldan.de/* zu holen festgestellt:

    Konnte keine sichere Verbindung zu 217.148.29.185 herstellen

    The system returned:


    (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
    SSL Certficate error: certificate issuer (CA) not known: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2

    How can I add the GlobalSign root certficate to squid so that squid will accept the certificate?

    I think I have to add the certificate to the linux "ca-certificates" folder. But how can I do this within pfsense?

    Thanks



  • But how can I do this within pfsense?

    System- Cert. Manager?



  • Tried it but it's not working.



  • Any error messages?  Anything in System log?  This kind of stuff is why I never run squid in transparent mode.  So many hassles with certificates, especially on the client end.


  • Banned

    It is indeed so - the issuer is unknown even on non pfsense ssl bumping Squid.
    I would try something like https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html



  • I would throw it all in the garbage and go with explicit squid + WPAD + DHCP Option 252.



  • If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

    the problem can be solve with a this shape.

    OR

    With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com



  • @sichent This link shows what to do in CentOS or Ubuntu and clearly states (on discussion) that it is not for pfSense.


Log in to reply