[squid-users] HTTPS Proxy

Alex Rousskov rousskov at measurement-factory.com
Tue Oct 7 17:52:04 UTC 2025

Previous message (by thread): [squid-users] HTTPS Proxy
Next message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2025-10-07 13:21, John Brayton wrote:
> I am setting up a Squid proxy server. It needs to be available on a
> public IP address, so I need traffic between the client and the proxy
> to be secure. I have a wildcard SSL certificate from a certificate
> authority (Namecheap). I have these files:
> 
> - A key file with an RSA key
> - A certificate file
> - A certificate chain file, with the signing certificates from Namecheap
> - A combined file that includes both the certificate file and the
> certificate chain file.
> 
> All these files are in PEM format. I am trying to work out how to
> configure squid to use these files as expected. As it stands, I have:
> 
> https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem
> When using a curl client, I issue this:
> 
> curl -i -x https://[proxyhost]:8888 [website_url]
> 
> I get this response:
> 
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.se/docs/sslcerts.html
> 
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> 
> I get the same error regardless of whether website_url is an HTTP URL
> or an HTTPS URL, so I assume the issue is not the website.
> 
> How do I make the squid server trusted by clients?

Does your curl client trust Namecheap? If not, see curl documentation 
mentioned in the error message you have quoted above. That documentation 
explains how to make curl (and other clients) trust a certificate 
authority that they do not already trust.

The same documentation can be used to confirm that trusting Namecheap 
certificate authority is enough; see --proxy-cacert command line option.

Using `openssl s_client` or examining curl-Squid traffic with a tool 
like Wireshark may help you see what certificate curl cannot validate. 
Newer curl versions support `curl --write-out '%{certs}'`, but I do not 
know whether `certs` write-out variable works for proxy certificates.

HTH,

Alex.

Previous message (by thread): [squid-users] HTTPS Proxy
Next message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list