Add trusted root ca issuer to squid
-
Hello,
I'm using squid as a man in the middle proxy. Then I try to connect to a legitimate german website I get the following certificate error:
Der folgende Fehler wurde beim Versuch die URL https://suche.soldan.de/* zu holen festgestellt:
Konnte keine sichere Verbindung zu 217.148.29.185 herstellen
The system returned:
…
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2How can I add the GlobalSign root certficate to squid so that squid will accept the certificate?
I think I have to add the certificate to the linux "ca-certificates" folder. But how can I do this within pfsense?
Thanks
-
But how can I do this within pfsense?
System- Cert. Manager?
-
Tried it but it's not working.
-
Any error messages? Anything in System log? This kind of stuff is why I never run squid in transparent mode. So many hassles with certificates, especially on the client end.
-
It is indeed so - the issuer is unknown even on non pfsense ssl bumping Squid.
I would try something like https://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html -
I would throw it all in the garbage and go with explicit squid + WPAD + DHCP Option 252.
-
If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL
the problem can be solve with a this shape.
OR
With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com
-
@sichent This link shows what to do in CentOS or Ubuntu and clearly states (on discussion) that it is not for pfSense.
