Fixing X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY on SSL Bumping Squid

HTTPS filtering is a must for any network admin these days and if you implement HTTPS filtering using SSL Bumped Squid you have surely seen the famous (and not especially clear formulated) X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The main reason for this error is very simple – one (or all) certificates presented by the remote HTTPS site you are browsing are not present in the certificate store on the host your Squid proxy runs on. And because of that Squid cannot generate mimicked SSL certificate required to perform HTTPS filtering.

Let’s take the app.tracker-online.com for example. If you access https://app.tracker-online.com from your browser directly (FF or Chrome or even IE) you will not see any errors. If you do the same through SSL Bumping Squid proxy running on Ubuntu 14.04 LTS or CentOS 7 the following error page will be shown in the browser.

unable_to_get_issuer_cert_locally

If you take a closer look at the error page then it becomes clear that the following certificate authority is missing:

/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA

Let’s add this certificate into our OS certificate storage. To do this go to Thawte web site and download the SSL123_SecondaryCA.pem. Please note we are downloading ONLY intermediate certificate and NOT the bundle as root Thawte certificate seems to be present in all operating systems.

thawte_download

Then for CentOS 7:

  1. Open root terminal and copy the SSL123_SecondaryCA.pem into /etc/pki/ca-trust/source/anchors/ folder.
  2. Run the following command to rebuild the certificate bundle update-ca-trust. It should finish without any output.
  3. Restart Squid by running systemctl restart squid.

And for Ubuntu 14.04 LTS (or Debian 7):

  1. Open root terminal and copy the SSL123_SecondaryCA.pem (in is in the PEM format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates/SSL123_SecondaryCA.crt (note the extension needs to be crt not PEM).
  2. Run the following command to rebuild the certificate store sudo update-ca-certificates. See this superuser.com article for more information.
  3. Restart Squid by running service squid3 restart.

Open your browser and see that https://app.tracker-online.com/ started to work normally.

app_tracker_ok

To remove this intermediate certificate from the certificate bundle in CentOS 7, remove the certificate file from /etc/pki/ca-trust/source/anchors​ and run the update-ca-trust again. Do not forget to restart Squid!

If you need to do the same on Ubuntu 14.04, remove this certificate from /usr/local/share/ca-certificates, run sudo update-ca-certificates and finally remove all dangling links to non existing certificate in /etc/ssl/certs folder. We could not find the easier way!

Best regards,
Diladele Dev Team

About sichent

sichent
This entry was posted in HTTPS, Linux, squid. Bookmark the permalink.

2 Responses to Fixing X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY on SSL Bumping Squid

  1. Lexus34 says:

    Please tell me how to install SSL123_SecondaryCA on pfsense, I added through system_camanager and restarted squid3, but still get the error .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s