Squid3-dev - Certificate Error, Despite Importing CA

ElectroPulse · Oct 1, 2013, 1:47 PM

Hello, all!

Squid3-dev + Squidguard set up, and they're blocking pages through HTTP and HTTPS just fine. The problem is, it's throwing certificate errors at about every secure page that is opened, despite having the CA trusted.

For example, if they try going to mail.google.com, it throws this error:

"Technical Details

accounts.google.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)"

Any idea how to make this work?

I was doing some reading about this, and it sounds like it's because some name doesn't match on the certificates… It sounded like setting up something that would dynamically create a certificate (using SSL-Bump) could fix this. However, I have yet to find a tutorial on how to do this with Squid installed on pfSense... Is this what I need to be looking for?

Thanks!
ElectroPulse

marcelloc · Oct 1, 2013, 9:49 PM

Just select "accept remote certificate erros" at Remote Cert checks option on gui.

This way client will receive an alert from browser instead of squid error page if you access a site with invalid certificate.

milanojs · Oct 1, 2013, 9:48 PM

Hi! bro i have the same issue with the mozilla firefox and ie10 web browser, tomorrow i will try the setup with another cert at the moment im using a self signed cert from the option in the system->CertManager> Internal CA. i will use a cert from cacert.org ill test and let you know

marcelloc · Oct 1, 2013, 9:51 PM

@milanojs:

Hi! bro i have the same issue with the mozilla firefox and ie10 web browser, tomorrow i will try the setup with another cert at the moment im using a self signed cert from the option in the system->CertManager> Internal CA. i will use a cert from cacert.org ill test and let you know

This is a problem with remote certificate, not pfsense CA certificate.

If you install pfsense CA crt on browser it will not complain about certificates on sites that has ssl working fine.

milanojs · Oct 1, 2013, 10:08 PM

ugh sorry, dont get it, i just did the thing that u said, and nothing, any clue?

Just select "accept remote certificate erros" at Remote Cert checks option on gui.

ElectroPulse · Oct 2, 2013, 2:38 AM

@marcelloc:

@milanojs:

Hi! bro i have the same issue with the mozilla firefox and ie10 web browser, tomorrow i will try the setup with another cert at the moment im using a self signed cert from the option in the system->CertManager> Internal CA. i will use a cert from cacert.org ill test and let you know

This is a problem with remote certificate, not pfsense CA certificate.

If you install pfsense CA crt on browser it will not complain about certificates on sites that has ssl working fine.

Yea, that's what everyone keeps saying…

Unfortunately, I haven't been able to make that happen. I add the CA certificate (not the site's certificate) to the client's computer, and it throws the error that I quoted in the OP (sometimes it also says "This certificate is only valid for [insertdomainhere].com").

I also made the change that you recommended, and still no dice.

EDIT: Also, one other thing… I noticed that someone mentioned something about a .der file for the CA certificate. The one I have is a .crt... Do I have the wrong type of certificate for this? I created a CA cert in the Cert manager, then exported it, and have been importing it into client browsers.

Another thing... I have heard mention of creating a "Root Certificate." This is the same thing as creating an "Internal Certificate Authority," correct?

marcelloc · Oct 2, 2013, 3:42 AM

While importing ca certificate to user's browser, you ust add it as a trusted ca instead of automatic import.

ElectroPulse · Oct 2, 2013, 5:52 AM

@marcelloc:

While importing ca certificate to user's browser, you ust add it as a trusted ca instead of automatic import.

Yea, that's what I do. I manually go to the import button under tools and settings, then import the CA cert from its location on the network that I put it.

It's still throwing the error in the OP… "The certificate is not trusted because no issuer chain was provided." is what I am paying attention to right now. What is an issuer chain?

marcelloc · Oct 2, 2013, 10:43 AM

Check site certificate info.

If issuer is 'not trusted by ca_name' then squid is doing his part.

Is it happening will any ssl site?

ElectroPulse · Oct 2, 2013, 2:09 PM

Hmm… I believe I've figured it out.

It looks like my perception of what the issue was, was really a compilation of a couple of things.

1. On a couple of computers, I missed the checkbox of "This certificate can identify websites," so they were throwing certificate errors for all secure websites.
2. Other computers that DID have the checkbox checked, were throwing certificate errors whenever they would reach the block page (for some reason, the computers that are in VLAN 4 (192.168.4.0/24 network) throw a certificate error ("The certificate is not trusted because no issuer chain was provided.") when they are redirected to the block page of VLAN 2 (192.168.2.0/24 network). They are able to access the block page, but regardless of what I do they throw the certificate error... Computers on VLAN 2 don't have this issue. Looking into a way to make the block page use HTTP).

I'm guessing I was combining these two things, and thinking that all computers had both (it seemed that the computers I tested it on did).

Sorry for wasting your time! Hopefully the other guy with this issue can fix it (I'm guessing the checkbox isn't checked for the CA?).

milanojs · Oct 2, 2013, 7:06 PM

i was intalling the pem, certificate on the web browser,

i have changed the cert (Just Add more custom data)
selected on proxy in the proxy ssl settings
go to cert manager in system download the crt file for the new CA-cert
go to all the browser and import the crt, and we are good 2 go, sorry for wasting your time @marcelloc and @electricpulse

mohanrao83 · Jun 18, 2014, 4:55 PM

i have only one lan network 172.16.0.0/16 with 800 computers.
i have same issue.

first i say sorry to pfsense and all pfsense lover's if i m worng,
if we correctly configured squid3-dev and squidguard-squid3 wihtout any error.
and all other sites are works fine like if deny blk_socialnetwork then when to go to https facebook or youtube its access dined only when i go for gmail.com its not working given msg which is all aware.

also when i go to banking https sites its working good.
so i think its some problem in pfsense and i proud to say pfsense is very easily solve this problem but i thought pfsense is playing with his lover's (pfsense firewall user's)

so we can only wait for new updates..

in between any expert solve this issue pls let me know
mohanrao83@gmail.com

Thanks