English Forums > Web Proxy Filtering and Caching

squid error "Failed to establish a secure connection to 192.168.1.2"

(1/1)

porigromus:
Hello, hoping someone can help me understand why I am receiving message "Failed to establish a secure connection to 192.168.1.2" when I access the webgui from behind the squid forward ssl proxy but have no issues with accessing it with another SAN name "firewalltest"?

As I mentioned both are subject alternative names on a self generated certificated issued by the CA created on the opnsense firewall. One works, one does not when behind the proxy. If I access the webgui for firewall management without the proxy via the ip address it shows valid.

I have the CA on the firewall trusted in my OS. I have an entry in my /etc/host file on the client attempting to access the webgui for 192.168.1.2     firewalltest.

error message:


"ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://192.168.1.2/

    Failed to establish a secure connection to 192.168.1.2

The system returned:

    [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)

    Certificate does not match domainname: /C=xx/ST=xxxxxxx/L=xxxxxx /O=xxxx/emailAddress=xxxxxxxxxxxxxxx/CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local."


Certificate for the Opnsense webgui issued by a CA on opnsense which is also the one chosen for the CA for squid in opnsense services.

"Certificate Subject Alt Name = "DNS:firewalltest,IP:192.168.1.2"
CN = firewalltest.test
E = xxxxxxx
O = xxxxxx
L = xxxxxx
ST = xxxxx
C = xxxxx"


hbc:
The answer is on your text

--- Quote ---Failed to establish a secure connection to 192.168.1.1
--- End quote ---


--- Quote ---CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2
--- End quote ---

192.168.1.1 is not in your certificate name/alias

Update: are you talking about 192.168.1.1 or 192.1681.2? Your post uses both

porigromus:
I apologize for the misleading text, I changed the IPs for security reasons. I can assure you that the true IPs match properly.

Navigation

[0] Message Index

Go to full version