[squid-users] HTTPS Proxy

John Brayton johnbrayton at gmail.com
Tue Oct 7 18:01:14 UTC 2025

Previous message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you. Yes, curl trusts the same wildcard certificate when it is
presented by an nginx server.

John

On Tue, Oct 7, 2025 at 1:52 PM Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>
> On 2025-10-07 13:21, John Brayton wrote:
> > I am setting up a Squid proxy server. It needs to be available on a
> > public IP address, so I need traffic between the client and the proxy
> > to be secure. I have a wildcard SSL certificate from a certificate
> > authority (Namecheap). I have these files:
> >
> > - A key file with an RSA key
> > - A certificate file
> > - A certificate chain file, with the signing certificates from Namecheap
> > - A combined file that includes both the certificate file and the
> > certificate chain file.
> >
> > All these files are in PEM format. I am trying to work out how to
> > configure squid to use these files as expected. As it stands, I have:
> >
> > https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem
> > When using a curl client, I issue this:
> >
> > curl -i -x https://[proxyhost]:8888 [website_url]
> >
> > I get this response:
> >
> > curl: (60) SSL certificate problem: unable to get local issuer certificate
> > More details here: https://curl.se/docs/sslcerts.html
> >
> > curl failed to verify the legitimacy of the server and therefore could not
> > establish a secure connection to it. To learn more about this situation and
> > how to fix it, please visit the web page mentioned above.
> >
> > I get the same error regardless of whether website_url is an HTTP URL
> > or an HTTPS URL, so I assume the issue is not the website.
> >
> > How do I make the squid server trusted by clients?
>
> Does your curl client trust Namecheap? If not, see curl documentation
> mentioned in the error message you have quoted above. That documentation
> explains how to make curl (and other clients) trust a certificate
> authority that they do not already trust.
>
> The same documentation can be used to confirm that trusting Namecheap
> certificate authority is enough; see --proxy-cacert command line option.
>
> Using `openssl s_client` or examining curl-Squid traffic with a tool
> like Wireshark may help you see what certificate curl cannot validate.
> Newer curl versions support `curl --write-out '%{certs}'`, but I do not
> know whether `certs` write-out variable works for proxy certificates.
>
>
> HTH,
>
> Alex.
>

Previous message (by thread): [squid-users] HTTPS Proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list