Gracefully handle existing website keys without matching certificates
This can happen if Privoxy was previously running with an invalid
TLS configuration that didn't allow it to create a certificate.
The problem can be reproduced manually by removing or renaming a
certificate while keeping the key.
Previously this would result in a confusing client error messages:
fk@t520 ~ $curl -v --head https://www.electrobsd.org/
* Uses proxy env variable https_proxy == 'http://127.0.1.1:8118/'
* Trying 127.0.1.1:8118...
* Connected to 127.0.1.1 (127.0.1.1) port 8118 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.electrobsd.org:443
> CONNECT www.electrobsd.org:443 HTTP/1.1
> Host: www.electrobsd.org:443
> User-Agent: curl/7.72.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443
While the Privoxy log would say something like:
04:53:53.932 099 Error: Subject key was already created
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/
6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:
02001002:system library:fopen:No such file or directory
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/
6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:
20074002:BIO routines:file_ctrl:system lib
04:53:53.933 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/
6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:
140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
04:53:53.933 099 Error: Failed to open a secure connection with the client
Instead of failing, just remove the key and continue.