Error Reading Certificate File /etc/stunnel/stunnel.pem
You can invoke stunnel from inetd. Inetd is the Unix 'super server' that allows you to launch a program (for example the telnet daemon) whenever a connection is established to a specified port. Lets say we want to have stunnel listen on our machine on port 9999 to support a fictitious protocol called foobar. We would add the following line to the file /etc/inetd.conf foobar stream tcp nowait root /usr/local/bin/stunnel stunnel (if you installed stunnel in a different location than /usr/local/bin, use that path instead) and add the following line to /etc/services: foobar 9999/tcp # The foobar service You must then send the inetd process a SIGHUP. Find the process id for the inetd process by one of the following commands: ps -ef | grep inetd ps -axj | grep inetd and then type kill -HUP process_id. You may be able to use killall -HUP inetd on some Unix versions (for example linux, *BSD, IRIX) to save yourself from looking up the process id. Note: Some Unix variants have a killall command that kills all processes on the machine. That is not the killall you are looking for... The /usr/local/etc/stunnel.conf configuration file for inetd mode must not include a [service] line. For example: cert = ... ... # Do not include # [someservicename] connect = logging:syslogs If you have a [service] line, then stunnel will fork into the background to do its job, and will not work with inetd. Note: Running in daemon mode is much preferred to running in inetd mode. Why? SSL needs to be initialized for every connection. No session cache is possible. inetd mode requires forking, which causes additional overhead. Daemon mode will not fork if you have stunnel compiled with threads. Running stunnel in daemon mode Lets say we want to have stunnel listen on our machine on port 9999 to support a fictitious protocol called foobar. First we would add the following line to /etc/services: foobar 9999/tcp # The foobar service Stunnel configuration file needs at least the section name and accept option. For example: cert = ... ... [foobar service] accept = foobar ... Running stunnel with TCP wrappers You do not need to use the tcpd binary to wrap stunnel (although you could). You can can compile in sup
stunnel.pem -keyout stunnel.pem Generating a http://osdir.com/ml/network.stunnel.user/2007-05/msg00002.html 512 bit RSA private key ..++++++++++++ .....++++++++++++ writing https://bbs.archlinux.org/viewtopic.php?id=101866 new private key to 'stunnel.pem' ----- unable to find 'distinguished_name' in config problems making Certificate Request 1988:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=req name=distinguished_name $ /usr/bin/stunnel.exe 2007.05.13 22:37:12 LOG4[2188:6422536]: Wrong permissions on /etc/stunnel/mail.pem error reading 2007.05.13 22:37:12 LOG3[2188:6422536]: Error reading certificate file: /etc/stunnel/stunnel.pem 2007.05.13 22:37:12 LOG3[2188:6422536]: error stack: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2007.05.13 22:37:12 LOG3[2188:6422536]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line and i ran all as Administrator _______________________________________________ stunnel-users mailing list stunnel-users@xxxxxxxx error reading certificate http://stunnel.mirt.net/mailman/listinfo/stunnel-users Thread at a glance: Previous Message by Date: with the windows version it isn't better...same kind of errors C:\Programmi\openssl>openssl.exe req -new -x509 -days 365 -nodes -config stunnel .conf -out stunnel.pem -keyout stunnel.pem Loading 'screen' into random state - done Generating a 512 bit RSA private key .....++++++++++++ .......................++++++++++++ writing new private key to 'stunnel.pem' ----- unable to find 'distinguished_name' in config problems making Certificate Request 1772:error:0E06D06C:configuration file routines:NCONF_get_string:no value:./cryp to/conf/conf_lib.c:329:group=req name=distinguished_name 2007.05.13 23:05:03 LOG3[304:860]: Error resolving 'VNC_client_IP_address': Neither nodename nor servname known (EAI_NONAME) Cannot resolve 'VNC_client_IP_address:443' - delaying DNS lookup 2007.05.13 23:05:03 LOG3[304:860]: Error reading certificate file: stunnel.pem 2007.05.13 23:05:03 LOG3[304:860]: error stack: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2007.05.13 23:05:03 LOG3[304:860]: SSL_CTX_use_certificat
JohnieBraaf Member From: Belgium Registered: 2010-07-10 Posts: 15 Website [SOLVED] Stunnel not logging Hi,I'm trying to get stunnel working om my system, which previously worked flawlessly on my Debian and Ubuntu systems.What did I do:# install stunnel sudo pacman -S stunnel # create certificate cd /etc/stunnel openssl req -new -x509 -days 3650 -nodes -out mail.pem -keyout mail.pem # edit my config file sudo cp /etc/stunnel/stunnel.conf-sample /etc/stunnel/stunnel.conf sudo kwrite /etc/stunnel/stunnel.conf # The following describes the content of my stunnel.conf: ; protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = TLSv1 ; security enhancements for UNIX systems - comment them out on Win32 ; for chroot a copy of some devices and files is needed within the jail chroot = /var/run/stunnel setuid = stunnel setgid = stunnel ; PID is created inside the chroot jail pid = /stunnel.pid ; performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib ; workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; authentication stuff needs to be configured to prevent MITM attacks ; it is not enabled by default! ;verify = 2 ; don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; it's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; alternatively CRLfile can be used ;CRLfile = /etc/stunnel/crls.pem ; debugging stuff (may useful for troubleshooting) debug = 7 output = /var/log/stunnel.log ; SSL client mode client = yes ; service-level configuration [GMail_POP] accept = 127.0.0.1:3001 connect = pop.gmail.com:995 [GMail_SMTP] accept = 127.0.0.1:3002 connect = smtp.gmail.com:465 [GMail_IMAP] accept = 127.0.0.1:3003 connect = imap.gmail.com:993 [VFEmail] accept = 127.0.0.1:3004 connect = mail.vfemail.net:465The above described process was enough to get it running on my previous systems.However it does not suffice on Arch. Googling around I found that my /etc/hosts.allow should be altered.# allow requests from 127.0.0.1 sudo kwrite /etc/hosts.allow # added the following line: stunnel: 127.0.0.1However, its still not working, Because I want to debug the problem, I try to read the log /var/log/stunnel.log , but its not present.This is strange, because I clearly enabled the logg