ssl_crtd helpers are crashing too rapidly in squid

I am using the sslBump and Dynamic SSL Certificate Generation features of squid, below is my configuration for the sslBump

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5

sslproxy_cert_error allow all

always_direct allow all

ssl_bump client-first all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem

I am facing below error when i start the squid.

squid -d 23

2014/08/29 16:55:59 kid1| Set Current Directory to /var/cache/squid
2014/08/29 16:55:59 kid1| Starting Squid Cache version 3.4.4.2 for x86_64-redhat-linux-gnu...
2014/08/29 16:55:59 kid1| Process ID 32150
2014/08/29 16:55:59 kid1| Process Roles: worker
2014/08/29 16:55:59 kid1| With 1024 file descriptors available
2014/08/29 16:55:59 kid1| Initializing IP Cache...
2014/08/29 16:55:59 kid1| DNS Socket created at [::], FD 7
2014/08/29 16:55:59 kid1| DNS Socket created at 0.0.0.0, FD 8
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver 203.88.135.194 from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver 4.2.2.2 from /etc/resolv.conf
2014/08/29 16:55:59 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2014/08/29 16:55:59.339 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 72 Content: name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subj
2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 125 Content: name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"

2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 0 Content: 
2014/08/29 16:55:59.341 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/08/29 16:55:59.341 kid1| Store logging disabled
2014/08/29 16:55:59.341 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/08/29 16:55:59.341 kid1| Target number of buckets: 1008
2014/08/29 16:55:59.341 kid1| Using 8192 Store buckets
2014/08/29 16:55:59.341 kid1| Max Mem  size: 262144 KB
2014/08/29 16:55:59.341 kid1| Max Swap size: 0 KB
2014/08/29 16:55:59.341 kid1| Using Least Load store dir selection
2014/08/29 16:55:59.341 kid1| Set Current Directory to /var/cache/squid
k kill2014/08/29 16:55:59.341 kid1| Finished loading MIME types and icons.
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x7ff9b784a900 [call18]
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(85) ScheduleCall: StartListening.cc(56) will call clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) [call18]
2014/08/29 16:55:59.427 kid1| HTCP Disabled.
2014/08/29 16:55:59.427 kid1| Squid plugin modules loaded: 0
2014/08/29 16:55:59.427 kid1| Adaptation support is off.
2014/08/29 16:55:59.428 kid1| AsyncCallQueue.cc(51) fireNext: entering clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.428 kid1| AsyncCall.cc(30) make: make call clientListenerConnectionOpened [call18]
2014/08/29 16:55:59.428 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9
2014/08/29 16:55:59.429 kid1| AsyncCallQueue.cc(53) fireNext: leaving clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.429 kid1| WARNING: ssl_crtd #Hlpr0 exited
2014/08/29 16:55:59.429 kid1| Too few ssl_crtd processes are running (need 1/5)
2014/08/29 16:55:59.429 kid1| Closing HTTP port [::]:3128
2014/08/29 16:55:59.429 kid1| storeDirWriteCleanLogs: Starting...
2014/08/29 16:55:59.429 kid1|   Finished.  Wrote 0 entries.
2014/08/29 16:55:59.429 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.

Is there is any configuration change or work around to resolved this error? Tested with RHEL 6.4 and Fedora 18 with squid 3.2.3, 3.4.4, 3.3.1

Solution 1:

This can be caused by an unitialized ssl_db in squid which can be created with:

ssl_crtd=$(find /usr -type f -name ssl_crtd)
$ssl_crtd -c -s /var/lib/ssl_db
chown -R squid /var/lib/ssl_db

& set in /etc/squid/squid.conf

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 3 startup=1 idle=1

depending on how your squid was built you may also be able to use security_file_certgen

see also Squid docs for Dynamic SSL Certificate Generation

Solution 2:

For me I just need to initialize the SSL database

sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB