Error Reading Certificate File /usr/local/etc/stunnel/mail.pem
compilation issue on Mac OS X 10.5 powerpc Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Many thanks Mike. You were right. There is something wrong with my manual install of openssl 1.0.0e. I just recompiled stunnel 4.47 from sources, using the openssl libraries provided by fink and it went like a charm. However, I'm now running into another issue. I'm trying to configure stunnel with sni. I read the man page, the how to, the previous mailing list messages and googled as much as I could but can't seem to find an answer. When I configure stunnel to tunnelize http (i.e. [https] service), everything works fine. When I configure stunnel with sni to tunnelize several virtual hosts (i.e. [virtual] + [sni1] + [sni2]), it crashes on a segmentation fault when testing the connection to the virtual host with openssl or with a brower. When I configure only the virtual service without any sni virtual hosts (i.e. [virtual] only without any defined sni), everything runs fine. I'm running into the exact same issue with stunnel 4.46 installed from fink - SNI won't work which is very sad. I have the feeling that this is related to the OpenSSL distributed by Fink and I'm currently checking with the maintainer whether the distributed pre-compiled OpenSSL was compiled with --enable-tls Do you think that this might be related to something wrong in fink's openssl or the fink openssl libraries against which I have build stunnel? I'm currently checking with the maintainer of the ssl package on Fink whether it has been built with the --enable-tlsext option, but it seems that it has been (I've been trying to run an OpenSSL server with -tls option and connect with an OpenSSL client with -tls option and it connects correctly). Here is the console output of stunnel in foreground debug mode: 2011.11.23 20:21:38 LOG7[26580:2689165344]: Clients allowed=125 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=3 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=4 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG5[26580:2689165344]: stunnel 4.47 on powerpc-apple-darwin9.8.0 platform 2011.11.23 20:21:38 LOG5[26580:2689165344]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2011.11.23 20:21:38 LOG5[26580:2689165344]: Threading:PTHREAD SSL:ENGINE Auth:none Sockets:SELECT,IPv4 2011.11.23 20:21:38 LOG5[26580:2689165344]: Reading configuration from file /usr/local/etc/stu
Stunnel Quick certificate overview. What's a certificate? Do I need a valid certificate? Genererating the stunnel private key (pem). But I don't have the openssl binary! How can I get rid of a passphrase on my http://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html key? Problems with a self-signed certificate. Do I need to have a https://forum.directadmin.com/archive/index.php/t-8767.html Certificate Authority sign my key? How can I have my key signed by a CA? Can I set up my own CA instead? How does stunnel check certificates? Where do I put all these certificates? Where can I get a copy of official CA certificates? How do I import/trust a error reading certificate into Outlook/Outlook Express/IE/etc How do I convert a PKCS12 certificate to PEM form? Other useful web pages (not necessarily stunnel specific) Setting up your own CA -- Useful URLs Using Certificates with Stunnel A full description of how certificates work is beyond the scope of this FAQ. For that, go read the SSL Certificates HOWTO. Here I'll try to explain how error reading certificate certs work with Stunnel itself. Quick certificate overview. Every stunnel server has a private key. This is contained in the pem file which stunnel uses to initialize it's identity. (PEM stands for 'privacy enhanced mail' which is now much more liberally used as a key format) This private key is put in /usr/local/ssl/certs/stunnel.pem by default, however you should check the output of stunnel -h to verify. You can use a non-default keyfile if you wish by supplying the '-p' argument to stunnel. An SSL server should also present a certificate. Stunnel generates self-signed certificates by default during the installation. It is possible to have your key signed by a third party (certificate authority) instead if you wish. What's a certificate? When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a 'Certificate Authority' (hereafter a CA) -- usually a trusted third party like Verisign. A client will accept this certificate only if The certificate presented matches the private key being us
2005.06.24 11:56:38 LOG3[742:3086956768]: Error reading certificate file: /etc/stunnel/mail.chiptecmm.com.pem 2005.06.24 11:56:38 LOG3[742:3086956768]: error stack: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2005.06.24 11:56:38 LOG3[742:3086956768]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line My stunnel.conf stand for --------------------------------------------- #stunnel conf cert = /etc/stunnel/mail.chiptecmm.com.pem pid = /var/run/stunnel/run/stunnel.pid setuid = nobody setgid = nobody # workaround options = DONT_INSERT_EMPTY_FRAGMENTS #some debugging debug = 3 output = /var/log/stunnel.org # service level configuration [pop3s] accept = 81.92.198.224:995 connect = 110 [imaps] accept = 81.92.198.224:993 connect = 143 [smtps] accept = 81.92.198.224:465 connect = 25 --------------------------------------------- Any help is very welcomed ............................................................ If helps - i still getting this error ............................................................ [root@server01 ~]# /usr/sbin/stunnel -d 995 -p /usr/share/ssl/certs/stunnel.pem -r localhost:pop3 2005.06.24 14:45:23 LOG3[7147:3086956768]: -d: No such file or directory (2) Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options [root@server01 ~]# toml06-24-2005, 02:23 PMJust a guess here, but by the looks of that error, I would say you have a chained certificate which requires more than just your certificate, you need the chained CA public certificate. If you concatenate the two, that should work. As far as the error you get with executing stunnel, those arguments are not valid, the valid arguments to stunnel listed below. All configuration is done in the /etc/stunnel/stunnel.conf and related files. nobaloney06-25-2005, 06:55 PMOriginally posted by chiptecmm.com If helps - i still getting this er