# Problems with squid under freebsd 12 ssl_crtd not found



## klabacita (Dec 7, 2019)

Hi guys.

I'm testing freebsd squid(4.9 from ports) and found that even if u chose the option:






freebsd won't create ssl_crtd.

Without this we cannot run squid MITM.

Some knows how to fix this problem?

I had try different settings but no luck.

Thanks for your help.


----------



## obsigna (Dec 7, 2019)

I wrote a BLog article about setting up a transparent SSL proxy using squid on a FreeBSD gateway - here our home server, but it would work the same for any gateway: https://obsigna.com/articles/1563917142.html

`# uname -npv`
server.obsigna.com FreeBSD 12.1-RELEASE-p1 GENERIC  amd64

`# squid --version`

```
Squid Cache: Version 4.9
Service Name: squid

This binary uses OpenSSL 1.1.1d-freebsd  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-eui' '--disable-cache-digests' '--disable-delay-pools' '--disable-ecap' '--disable-esi' '--disable-follow-x-forwarded-for' '--without-heimdal-krb5' '--without-mit-krb5' '--without-gss' '--disable-htcp' '--disable-icap-client' '--disable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--without-large-files' '--enable-http-violations' '--without-nettle' '--disable-snmp' '--enable-ssl' '--with-openssl=/usr' '--enable-security-cert-generators=file' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--enable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--disable-forw-via-db' '--disable-wccp' '--disable-wccpv2' '--enable-auth-basic=DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip unix_group' '--enable-auth-negotiate=none' '--enable-auth-ntlm=fake SMB_LM' '--enable-storeio=aufs ufs' '--enable-disk-io=DiskThreads AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--enable-security-cert-validators=fake' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe   -Wno-error=deprecated-declarations -fstack-protector-strong -fno-strict-aliasing ' 'LDFLAGS= -pthread -L/usr/local/lib -lpcreposix -lpcre  -fstack-protector-strong ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -Wno-error=deprecated-declarations -fstack-protector-strong -fno-strict-aliasing  ' 'CPP=cpp' --enable-ltdl-convenience
```


----------



## klabacita (Dec 8, 2019)

You don't use the program ssl_crtd in your config?


----------



## obsigna (Dec 8, 2019)

klabacita said:


> You don't use the program ssl_crtd in your config?


Yes I do. Look at the screenshot of the BLog article.

PS: Actually, I don't. I forgot the tiny detail, that ssl_crtd was renamed to security_file_certgen by the Squid project. So yes, I do configure with ssl_crtd which, however, installs security_file_certgen, and that is what I actually use.


----------



## klabacita (Dec 8, 2019)

obsigna said:


> Yes I do. Look at the screenshot of the BLog article.
> 
> PS: Actually, I don't. I forgot the tiny detail, that ssl_crtd was renamed to security_file_certgen by the Squid project. So yes, I do configure with ssl_crtd which, however installs security_file_certgen, and that is what I actually use.


Thanks obsigna now I understand the problem.


----------



## wolffnx (Nov 11, 2020)

obsigna said:


> I wrote a BLog article about setting up a transparent SSL proxy using squid on a FreeBSD gateway - here our home server, but it would work the same for any gateway: https://obsigna.com/articles/1563917142.html
> 
> `# uname -npv`
> server.obsigna.com FreeBSD 12.1-RELEASE-p1 GENERIC  amd64
> ...


I follow your guide and get stuck in one point :


```
/usr/local/libexec/squid/security_file_certgen -c -s /usr/local/etc/squid/dyn-certs -M 4MB
```

the return code is


```
Initialization SSL db...
/usr/local/libexec/squid/security_file_certgen: Cannot create /usr/local/etc/squid/dyn-certs
```

edit: the error was because I created the directory one step forward 

```
mkdir -p /usr/local/etc/squid/dyn-certs
```


----------



## SirDice (Nov 11, 2020)

Does /usr/local/etc/squid/ actually exist?


----------

