I am using the sslBump and Dynamic SSL Certificate Generation features of squid, below is my configuration for the sslBump

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5

sslproxy_cert_error allow all

always_direct allow all

ssl_bump client-first all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem

I am facing below error when i start the squid.

squid -d 23

2014/08/29 16:55:59 kid1| Set Current Directory to /var/cache/squid
2014/08/29 16:55:59 kid1| Starting Squid Cache version for x86_64-redhat-linux-gnu...
2014/08/29 16:55:59 kid1| Process ID 32150
2014/08/29 16:55:59 kid1| Process Roles: worker
2014/08/29 16:55:59 kid1| With 1024 file descriptors available
2014/08/29 16:55:59 kid1| Initializing IP Cache...
2014/08/29 16:55:59 kid1| DNS Socket created at [::], FD 7
2014/08/29 16:55:59 kid1| DNS Socket created at, FD 8
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver from /etc/resolv.conf
2014/08/29 16:55:59 kid1| Adding nameserver from /etc/resolv.conf
2014/08/29 16:55:59 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2014/08/29 16:55:59.339 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 72 Content: name: X509_V_ERR_AKID_SKID_MISMATCH
detail: "%ssl_error_descr: %ssl_subj
2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 125 Content: name: X509_V_ERR_APPLICATION_VERIFICATION
detail: "%ssl_error_descr: %ssl_subject"
descr: "Application verification failure"

2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse:  Remain size: 0 Content: 
2014/08/29 16:55:59.341 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2014/08/29 16:55:59.341 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/08/29 16:55:59.341 kid1| Store logging disabled
2014/08/29 16:55:59.341 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/08/29 16:55:59.341 kid1| Target number of buckets: 1008
2014/08/29 16:55:59.341 kid1| Using 8192 Store buckets
2014/08/29 16:55:59.341 kid1| Max Mem  size: 262144 KB
2014/08/29 16:55:59.341 kid1| Max Swap size: 0 KB
2014/08/29 16:55:59.341 kid1| Using Least Load store dir selection
2014/08/29 16:55:59.341 kid1| Set Current Directory to /var/cache/squid
k kill2014/08/29 16:55:59.341 kid1| Finished loading MIME types and icons.
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x7ff9b784a900 [call18]
2014/08/29 16:55:59.427 kid1| AsyncCall.cc(85) ScheduleCall: StartListening.cc(56) will call clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) [call18]
2014/08/29 16:55:59.427 kid1| HTCP Disabled.
2014/08/29 16:55:59.427 kid1| Squid plugin modules loaded: 0
2014/08/29 16:55:59.427 kid1| Adaptation support is off.
2014/08/29 16:55:59.428 kid1| AsyncCallQueue.cc(51) fireNext: entering clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.428 kid1| AsyncCall.cc(30) make: make call clientListenerConnectionOpened [call18]
2014/08/29 16:55:59.428 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9
2014/08/29 16:55:59.429 kid1| AsyncCallQueue.cc(53) fireNext: leaving clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528)
2014/08/29 16:55:59.429 kid1| WARNING: ssl_crtd #Hlpr0 exited
2014/08/29 16:55:59.429 kid1| Too few ssl_crtd processes are running (need 1/5)
2014/08/29 16:55:59.429 kid1| Closing HTTP port [::]:3128
2014/08/29 16:55:59.429 kid1| storeDirWriteCleanLogs: Starting...
2014/08/29 16:55:59.429 kid1|   Finished.  Wrote 0 entries.
2014/08/29 16:55:59.429 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.

Is there is any configuration change or work around to resolved this error? Tested with RHEL 6.4 and Fedora 18 with squid 3.2.3, 3.4.4, 3.3.1

  • 111
  • 1
  • 1
  • 5
  • try also posting on squid-users mailing lists. they are very responsive. http://www.squid-cache.org/Support/mailing-lists.html – Costin Gușă Sep 08 '14 at 22:47

6 Answers6


This can be caused by an unitialized ssl_db in squid which can be created with:

ssl_crtd=$(find /usr -type f -name ssl_crtd)
$ssl_crtd -c -s /var/lib/ssl_db
chown -R squid /var/lib/ssl_db

& set in /etc/squid/squid.conf

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 3 startup=1 idle=1

depending on how your squid was built you may also be able to use security_file_certgen

see also Squid docs for Dynamic SSL Certificate Generation

Stuart Cardall
  • 531
  • 4
  • 7

For me I just need to initialize the SSL database

sudo -u squid /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

I got this problem too. I used squid version 3.5.20 on Centos 7 and the configuration is like this:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/>

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

To configure squid, I use this instructions: https://support.kaspersky.com/KWTS/6.0/en-US/166244.htm.

Thus, I got that error, ssl_crtd helpers are crashing too rapidly in squid

I fixed this by change the location of sslcrtd_program file to /usr/local/squid/var/lib/ssl_db. I follow the instruction in http://www.squid-cache.org/Versions/v3/3.5/cfgman/sslcrtd_program.html.

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB

And it works.

  • 11
  • 6

In my case, the path to ssl_crtd was not being accessible by the squid user, getting the following error in the log:

2021/11/26 09:07:02.781| ipcCreate: /home/claudiu/kits/squid-3.5.27/src/ssl/ssl_crtd: (13) Permission denied

Once I moved it to an accessible location, it worked.

  • 101
  • 1

In my case. issue was selinux try: semanage permissive -a squid_t
then restart your service.

  • 1

I don't think what you've given us is of much use. It tells us that the helper processes are dying, and that it's happening more or less immediately, but doesn't tell us why they are dying.

You might get some clues using strace and/or ltrace. Trace the parent process (probably squid, and forked child processes. (eg strace -f -p PID or strace -ff -p PID). That's likely to show you what those processes are doing immediately before they crash. Try ltrace if strace doesn't give you something useful, but usually strace gives you what you need.

  • 5,786
  • 17
  • 31