Error certificates for reverse proxy since upgrade to squid 0.4.44_19


  • Hi,

    Since the upgrade to squid 0.4.44_19, my reverse proxy no longer works.

    In the system logs, the certificate which was used until then with the old versions of squid is not recognized :

    *php-fpm /pkg_edit.php: La commande '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' a retourné un code de sortie '1', la sortie était '2020/04/07 16:17:53| FATAL: No valid signing certificate configured for HTTPS_port 192.168.1.2:443 2020/04/07 16:17:53| Squid Cache (Version 4.9): Terminated abnormally. CPU Usage: 0.067 seconds = 0.067 user + 0.000 sys Maximum Resident Size: 77056 KB Page faults with physical i/o: 0'

    squid FATAL: No valid signing certificate configured for HTTPS_port 192.168.1.2:443*

    if I leave the reverse proxy active, impossible to restart the squid service ...

    Someone would have any idea ?

    Thanks.

    Emeric.


  • Hi,

    I have the same probleme with squid 0.4.44_20.

    Thanks.

    Emeric;


  • After update to squid 0.4.44_20, squid dont star anymore.


  • wait for 0.4.44_21 (~1 hour)
    or apply this patch:
    https://redmine.pfsense.org/issues/10434#note-4


  • 0.4.44_21 is ready, works OK


  • @viktor_g

    Hi!

    OWA Reverse Proxy still not working. Gives HTTP ERROR 403

    and on the Exchange server there are a flood of Event 36887 Schannel errors, with TLS fatal error code: 80


  • @ic_attila said in Error certificates for reverse proxy since upgrade to squid 0.4.44_19:

    @viktor_g

    Hi!

    OWA Reverse Proxy still not working. Gives HTTP ERROR 403

    and on the Exchange server there are a flood of Event 36887 Schannel errors, with TLS fatal error code: 80

    Can you provide more details about you squid reverse proxy configuration?
    Content of /usr/local/etc/squid/squid.conf can also be useful

    latest update only affects squid ACLs by adding IDN hostname support


  • @viktor_g Good morning!

    here are some logs and a link that may useful:

    squid_redacted.conf.txt

    exchange_error_event_36887.txt

    403.png

    Event ID 36887 Schannel - Windows Server

    Is there a way to revert to 0.4.44_18? We had no configuration change, just updated the package. At _18 it was working about 130 - 140 days without restarting.


  • @ic_attila
    bug in 0.4.44_18-20 created invalid cert files,
    this is why ssl/tls errors happened,
    please update to 0.4.44_21, re-apply configuration
    and check the contents of the cert files:

    /usr/local/etc/squid/5ae6266c036e3.crt
    /usr/local/etc/squid/5ae6266c036e3.key
    
    • they must be nonempty

  • @viktor_g Dear Viktor,

    I've installed _21. The strange thing is that I can’t do a clean install. I’ve unchecked the “Keep Settings/Data” but after package reinstall all my settings are in place. Even if I deleted the entire /usr/local/etc/squid directory. No matter if I click reinstall or remove package and install it from the “Available Packages”. There is one thing to mention. I haven’t restarted the whole system after I noticed this error. Would it be desirable?
    And yes, you are right. Those two files are not empty now. It seems working with other HTTPS reversing. Only the OWA part isn’t working.


  • @ic_attila said in Error certificates for reverse proxy since upgrade to squid 0.4.44_19:

    @viktor_g Dear Viktor,

    I've installed _21. The strange thing is that I can’t do a clean install. I’ve unchecked the “Keep Settings/Data” but after package reinstall all my settings are in place.

    I'll check it.
    You can also create redmine issue:
    https://docs.netgate.com/pfsense/en/latest/development/bug-reporting.html

    Even if I deleted the entire /usr/local/etc/squid directory. No matter if I click reinstall or remove package and install it from the “Available Packages”. There is one thing to mention. I haven’t restarted the whole system after I noticed this error. Would it be desirable?

    Actually your squid.conf looks fine,
    but you can try to restart the system if it possible

    And yes, you are right. Those two files are not empty now. It seems working with other HTTPS reversing. Only the OWA part isn’t working.

    Can you post squid error log to check OWA?

    There is no changes in OWA code from 0.4.44_18-21,
    list of changes:

    • IPv6 transparent mode support
    • IPv6 addresses in localnet ACL ('Allow Users on Interface')
    • IPv6 addresses ACL support
    • extra WebGUI input validations
    • whitelist/blacklist IDN hostnames support

  • @viktor_g I'll reboot it in 3 hours. I'll report back after that.


  • @viktor_g Rebooted, nothing changed.
    And because the Event 36887 Schannel errors on the Exchange side say TLS handshake error, I just turned on “Ignore Internal Certificate Validation” under “Intermediate CA Certificate”. I’m not sure if this is OK from a security standpoint, but it is working now.


  • @viktor_g , Thanks for or 0.4.44_21

    I made myself a test platform identical to my prod then I tested an update to 0.4.44_21. It's OK for my reverse proxy.

    I will test the update on my prod tonight


  • After update my DEV QA y PRD Server to 0.4.44_21 squid reverse proxy works fine. Many thanks!


  • @viktor_g, finally

    I check the logs after the upgrade to 0.4.44_21.
    The reverse proxy works well.
    But for each request arriving on the reverse proxy I have this error which follows :

    NONE/000	error:transaction-end-before-headers
    

    I didn't have this before.

    Do you have any idea ?

    Thanks


  • @emeric

    *Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers logged with URI error:transaction-end-before-headers.

    These errors are meant to be logged for clients that open and close connections without sending any HTTP headers (or without sending complete HTTP headers — you can log HTTP request size to distinguish these two cases).*

    What is your pfSense version? 2.4.4-p3 or 2.4.5?

    Please give us more information about your squid setup

    Do you use squid for your clients? In transparent mode?


  • Thanks for the time you take for my problem

    On my test platform I am in 2.4.5 and the version of squid is 0.4.44_22.

    Clients (internet) access my websites by the reverse proxy (squid).

    I have activated the proxy but not in transparent mode and only for my users on the lan to the internet (so internet clients are not affected by this proxy)

    I check my Headers Handling configuration on Squid :

    4ae0c07f-77f9-4a9f-929b-ce8b13f067df-image.png

    Do you need more information?


  • @emeric what if you disable squid for LAN users?
    or disable reverse squid?
    Will you see the same errors?