GateSentry Raspberry Pi : Updating the expired certificate

GateSentry

If you’re using GateSentry’s Raspberry Pi image, you might be seeing some certificate expiry errors in your browser as of 2nd October 2017. This post will help you regenerate GateSentry’s certificate so you can continue using it. Here’s how to do that:

  1. Connect to your Raspberry Pi via SSH (use Putty on Windows)
    1. The credentials are username:pi and password:raspberry
  2. Generate a new certificate with the following command (replace XXX with number of days that you want the certificate to be valid for example 365 ):
    1. openssl req -new -newkey rsa:2048 -days XXX -nodes -x509 -keyout myCA.pem -out myCA.pem
  3. Also generate a browser certificate using the freshly generated myca.pem:
    1. openssl x509 -in myCA.pem -outform DER -out myCA.der
  4. Now stop the squid service with : sudo service squid3 stop
  5. Copy this newly generated certificate (myCA.pem) to /etc/squid/certs on your raspberry pi (overwrite the old one).
  6. Make a copy of this certificate (myCA.der) on your local computer, so you can install it on your client browsers.
  7. Next, restart the Raspberry pi, with sudo reboot
  8. Install certificate on browsers, clear cache and restart browser.

Written by on October 5, 2017

5 Comments
  • Mark Macro

    Unfortunately it is not working!
    First I thought it is working, but finally it’s not.
    I created successfully the certifactes and the first thing I was wondering that
    there is no folder “/etc/squid/certs”.
    I think it has to be: “/etc/squid3/certs”.
    So I used “/etc/squid3/certs” to store the file(s).
    Next point is the filename, it should be “myCA.pem” not “myca.pem” (according to the definition inside “squid.conf” file), right?
    So now my folder “/etc/squid3/certs” contains now the following files:
    [email protected]:/etc/squid3/certs $ ls -al
    total 20
    drwxr-xr-x 2 pi pi 4096 Oct 8 09:01 .
    drwxr-xr-x 4 root root 4096 Mar 23 2016 ..
    -rw-r–r– 1 pi pi 1834 Oct 8 08:59 key.pem
    -rw-r–r– 1 pi pi 923 Oct 8 09:00 myCA.der
    -rw-r–r– 1 pi pi 1306 Oct 8 08:59 myCA.pem

    I also kept that “key.pem” file inside there (actually I don’t know if that is important…).

    However, (even after several reboots) when I login to the administration page via browser there is always an error message which says:
    Error : Squid3 not working (s. attached sreenshot).

    When I check the status of squid3 service via SSH it looks quite ok for me:
    [email protected]:~ $ service squid3 status
    ● squid3.service – LSB: Squid HTTP Proxy version 3.x
    Loaded: loaded (/etc/init.d/squid3)
    Active: active (exited) since Sun 2017-10-08 09:20:09 CEST; 18min ago
    Process: 1348 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)
    Process: 1358 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)

    Also the gatesentry service seems to be ok:
    [email protected]:~ $ service gatesentry status
    ● gatesentry.service – Gatesentry service
    Loaded: loaded (/lib/systemd/system/gatesentry.service; enabled)
    Active: active (running) since Sun 2017-10-08 09:20:05 CEST; 37min ago
    Process: 1328 ExecStop=/etc/gatesentry/dist/icap_daemon stop (code=exited, status=0/SUCCESS)
    Main PID: 1355 (icap_daemon)
    CGroup: /system.slice/gatesentry.service
    └─1355 /etc/gatesentry/dist/icap_daemon start

    Any Suggestions?

    https://uploads.disquscdn.com/images/0c698a14db77d91b205037d2f4eb5186f7639a319e1b25a6ae729dbc0f807586.jpg

    • Abdullah

      from your service status commands, it seems the services are running . Have you tried visiting websites through GateSentry? What do you get, ssl certificate errors, or proxy not running?

      • Mark Macro

        Found out that service is not running. when I call command with ‘sudo’ it brings the following, where it states that there is no valid certificate for http_port [::]:3129:

        [email protected]:/etc/squid3 $ sudo service squid3 status
        ● squid3.service – LSB: Squid HTTP Proxy version 3.x
        Loaded: loaded (/etc/init.d/squid3)
        Active: active (exited) since Sun 2017-10-08 11:49:48 CEST; 6s ago
        Process: 3516 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)
        Process: 1383 ExecReload=/etc/init.d/squid3 reload (code=exited, status=0/SUCCESS)
        Process: 3526 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)

        Oct 08 11:49:48 raspberrypi squid3[3526]: 2017/10/08 11:49:48| WARNING: ‘icap_access’ is depricated. Use ‘adaptation_access’ instead
        Oct 08 11:49:48 raspberrypi squid3[3526]: 2017/10/08 11:49:48| Warning: empty ACL: acl block_regex url_regex “/etc/squid3/squidlist/blockedregex”
        Oct 08 11:49:48 raspberrypi squid3[3533]: No valid signing SSL certificate configured for http_port [::]:3129
        Oct 08 11:49:48 raspberrypi squid3[3526]: FATAL: No valid signing SSL certificate configured for http_port [::]:3129
        Oct 08 11:49:48 raspberrypi squid3[3526]: Squid Cache (Version 3.3.8): Terminated abnormally.
        Oct 08 11:49:48 raspberrypi squid3[3526]: CPU Usage: 0.140 seconds = 0.120 user + 0.020 sys
        Oct 08 11:49:48 raspberrypi squid3[3526]: Maximum Resident Size: 39360 KB
        Oct 08 11:49:48 raspberrypi squid3[3526]: Page faults with physical i/o: 0
        Oct 08 11:49:48 raspberrypi squid3[3526]: failed!
        Oct 08 11:49:48 raspberrypi systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.

        Edit:
        Sorry forgot to answer your question:
        when I try to visit websites through GateSentry it tells me that proxy is not running.

        • Abdullah

          Yes, it’s a cert error: FATAL: No valid signing SSL certificate configured for http_port [::]:3129 . Okay, try this:

          – Instead of the above cert generation line,use this one: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem

          – Instead of the above der generation line, use this one : openssl x509 -in myCA.pem -outform DER -out myCA.der

          Follow the rest of the procedure.

          • Mark Macro

            ok. Squid is running now.
            Thanks.

More from the blog


Building a simple serverless CRUD app powered by Lambda and DynamoDB

Amazon web services has a very Read More


Writing a simple Async React Redux app in 20 minutes

Note: This tutorial is designed Read More


A simple React + Redux application bootstrap template

I often find myself wasting time setting Read More