I am trying to get Let's Encrypt to work with client to Squid Proxy SSL in a Kubernetes cluster. The proxy is used for testing. I have seen a few other Squid Proxy posts here. Not sure if this is an issue with the certificate or squid.
The problem is the proxy has one certificate presented, instead of the full chain. This works file with curl, but does not work with Node or OpenSSL. I checked the pem file on the squid node, and it has all the certificates, including the intermediate CAs. Also tried with the DST cross signed certificate.
Has anyone gotten a recent version of Squid to work with Let's Encrypt certificate for client to Squid proxy encryption?
My domain is: squid-proxy-ssl.ops2.cresta.ai:3128
I ran this command:
openssl s_client -showcerts -connect squid-proxy-ssl.ops2.cresta.ai:3128
It produced this output:
> openssl s_client -showcerts -connect squid-proxy-ssl.ops2.cresta.ai:3128 CONNECTED(00000006) depth=0 CN = squid-proxy.ops2.cresta.ai verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = squid-proxy.ops2.cresta.ai verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = squid-proxy.ops2.cresta.ai verify return:1 --- Certificate chain 0 s:CN = squid-proxy.ops2.cresta.ai i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 13 15:54:37 2023 GMT; NotAfter: Jan 11 15:54:36 2024 GMT -----BEGIN CERTIFICATE----- <SNIP> --- Server certificate subject=CN = squid-proxy.ops2.cresta.ai issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1872 bytes and written 412 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- 8060A7E901000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
My web server is (include version): ubuntu/squid 4.10-20.04_beta and tried 5.6-22.10_beta
https_port 3128 tls-cert=/certs/tls.crt tls-key=/certs/tls.key tls-cafile=/certs/tls.crt
The operating system my web server runs on is (include version): Ubuntu 22.10 or 20.04
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Kubernetes
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): cert-manager v1.13.1