[squid-users] HTTPS Proxy

[Alex Rousskov]

On 2025-10-07 14:01, John Brayton wrote:
> Yes, curl trusts the same wildcard certificate when it is
> presented by an nginx server.

How do you know that curl sees the same certificate chain in both tests?

I am guessing that you have tried to use the same certificate chain in 
both Squid and nginx configurations, but the question is about what curl 
sees/gets.

It is unlikely that curl would receive the same certificate chain but 
only trust the chain "presented by an nginx server". Most likely, 
something differs in those two chains/cases. For example, nginx sends an 
intermediate certificate as a part of that chain while Squid does not. 
Or the order of certificates in that chain differs. The pointers in my 
earlier response may help you tease out that critical difference.


HTH,

Alex.


> On Tue, Oct 7, 2025 at 1:52 PM Alex Rousskov wrote:
>>
>> On 2025-10-07 13:21, John Brayton wrote:
>>> I am setting up a Squid proxy server. It needs to be available on a
>>> public IP address, so I need traffic between the client and the proxy
>>> to be secure. I have a wildcard SSL certificate from a certificate
>>> authority (Namecheap). I have these files:
>>>
>>> - A key file with an RSA key
>>> - A certificate file
>>> - A certificate chain file, with the signing certificates from Namecheap
>>> - A combined file that includes both the certificate file and the
>>> certificate chain file.
>>>
>>> All these files are in PEM format. I am trying to work out how to
>>> configure squid to use these files as expected. As it stands, I have:
>>>
>>> https_port 8888 tls-cert=/etc/squid/combined.pem tls-key=/etc/squid/key.pem
>>> When using a curl client, I issue this:
>>>
>>> curl -i -x https://[proxyhost]:8888 [website_url]
>>>
>>> I get this response:
>>>
>>> curl: (60) SSL certificate problem: unable to get local issuer certificate
>>> More details here: https://curl.se/docs/sslcerts.html
>>>
>>> curl failed to verify the legitimacy of the server and therefore could not
>>> establish a secure connection to it. To learn more about this situation and
>>> how to fix it, please visit the web page mentioned above.
>>>
>>> I get the same error regardless of whether website_url is an HTTP URL
>>> or an HTTPS URL, so I assume the issue is not the website.
>>>
>>> How do I make the squid server trusted by clients?
>>
>> Does your curl client trust Namecheap? If not, see curl documentation
>> mentioned in the error message you have quoted above. That documentation
>> explains how to make curl (and other clients) trust a certificate
>> authority that they do not already trust.
>>
>> The same documentation can be used to confirm that trusting Namecheap
>> certificate authority is enough; see --proxy-cacert command line option.
>>
>> Using `openssl s_client` or examining curl-Squid traffic with a tool
>> like Wireshark may help you see what certificate curl cannot validate.
>> Newer curl versions support `curl --write-out '%{certs}'`, but I do not
>> know whether `certs` write-out variable works for proxy certificates.
>>
>>
>> HTH,
>>
>> Alex.
>>