ssl_crtd helpers estão travando muito rápido no squid

Navegue suas respostas
3

Estou usando os recursos sslBump e Dynamic SSL Certificate Generation do squid, abaixo está minha configuração para o sslBump

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5

sslproxy_cert_error allow all

always_direct allow all

ssl_bump client-first all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem

Estou enfrentando erro abaixo quando eu começo o squid.

lula-d 23 

2014/08/29 16:55:59 kid1| Set Current Directory to /var/cache/squid
2014/08/29 16:55:59 kid1| Starting Squid Cache version 3.4.4.2 for x86_64-redhat-linux-gnu...
2014/08/29 16:55:59 kid1| Process ID 32150
2014/08/29 16:55:59 kid1| Process Roles: worker
2014/08/29 16:55:59 kid1| With 1024 file descriptors available
2014/08/29 16:55:59 kid1| Initializing IP Cache...
2014/08/29 16:55:59 kid1| DNS Socket created at [::], FD 7
2014/08/29 16:55:59 kid1| DNS Socket created at 0.0.0.0, FD 8
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver 203.88.135.194 from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver 4.2.2.2 from /etc/resolv.conf
2014/08/29 16:55:59 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2014/08/29 16:55:59.339 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 72 Content: name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subj
2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 125 Content: name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"

2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 0 Content: 
2014/08/29 16:55:59.341 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/08/29 16:55:59.341 kid1| Store logging disabled
2014/08/29 16:55:59.341 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/08/29 16:55:59.341 kid1| Target number of buckets: 1008
2014/08/29 16:55:59.341 kid1| Using 8192 Store buckets
2014/08/29 16:55:59.341 kid1| Max Mem  size: 262144 KB
2014/08/29 16:55:59.341 kid1| Max Swap size: 0 KB
2014/08/29 16:55:59.341 kid1| Using Least Load store dir selection
2014/08/29 16:55:59.341 kid1| Set Current Directory to /var/cache/squid
k kill2014/08/29 16:55:59.341 kid1| Finished loading MIME types and icons.
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x7ff9b784a900 [call18]
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(85) ScheduleCall: StartListening.cc(56) will call clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) [call18]
2014/08/29 16:55:59.427 kid1| HTCP Disabled.
2014/08/29 16:55:59.427 kid1| Squid plugin modules loaded: 0
2014/08/29 16:55:59.427 kid1| Adaptation support is off.
2014/08/29 16:55:59.428 kid1| AsyncCallQueue.cc(51) fireNext: entering clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.428 kid1| AsyncCall.cc(30) make: make call clientListenerConnectionOpened [call18]
2014/08/29 16:55:59.428 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9
2014/08/29 16:55:59.429 kid1| AsyncCallQueue.cc(53) fireNext: leaving clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.429 kid1| WARNING: ssl_crtd #Hlpr0 exited
2014/08/29 16:55:59.429 kid1| Too few ssl_crtd processes are running (need 1/5)
2014/08/29 16:55:59.429 kid1| Closing HTTP port [::]:3128
2014/08/29 16:55:59.429 kid1| storeDirWriteCleanLogs: Starting...
2014/08/29 16:55:59.429 kid1|   Finished.  Wrote 0 entries.
2014/08/29 16:55:59.429 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.

Existe alguma alteração na configuração ou solução para resolver esse erro? Testado com o RHEL 6.4 e o Fedora 18 com o squid 3.2.3, 3.4.4, 3.3.1

    
por krupal 29.08.2014 / 08:21

2 respostas

0

Eu não acho que o que você nos deu é muito útil. Ela nos diz que os processos auxiliares estão morrendo e que isso está acontecendo mais ou menos de imediato, mas não nos diz por que estão morrendo.

Você pode obter algumas pistas usando strace e / ou ltrace. Rastreie o processo pai (provavelmente o squid e os processos filhos bifurcados. Por exemplo, strace -f -p PID ou strace -ff -p PID ). Isso provavelmente mostrará o que esses processos estão fazendo imediatamente antes de falhar. Tente o ltrace se strace não lhe der algo útil. , mas normalmente strace te dá o que você precisa.

    
por 09.09.2014 / 19:47
0

Isso pode ser causado por um ssl_db unitializado em squid que pode ser criado com: 

ssl_crtd=$(find /usr -type f -name ssl_crtd)
$ssl_crtd -c -s /var/lib/ssl_db
chown -R squid /var/lib/ssl_db

& definido em /etc/squid/squid.conf 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 3 startup=1 idle=1

dependendo de como seu squid foi criado, você também poderá usar     security_file_certgen

veja também os documentos do Squid para Geração Dinâmica de Certificados SSL

    
por 20.08.2018 / 13:02

Tags

Limpa as concessões do DHCPD, bem como as entradas do DDNS Reconfiguração de URL do IIS - Redireciona qualquer tráfego HTTPS para subdomínio