Error Reading Certificate File /usr/local/etc/stunnel/stunnel.pem
or SSLeay. In that case you should download and compile one of them. OpenSSL can be found at www.openssl.org. The other possibility is that you installed your SSL library in a non-standard place. Use the --with-ssl directive when running configure to tell it where this directory is. Configure is not finding my TCP Wrapper installation You probably have it in a non-standard place, i.e. somewhere that gcc cannot find it on its own. Lets say you had your tcp wrappers installed in /opt/tcpd_7.6. To help gcc find your include files and libraries, you should set three environment variables as follows: CFLAGS="$CFLAGS -I/opt/tcpd_7.6/include" CPPFLAGS="$CPPFLAGS -I/opt/tcpd_7.6/include" LDFLAGS="$LDFLAGS -L/opt/tcpd_7.6/lib" export CFLAGS CPPFLAGS LDFLAGS And then re-run configure. This is the generic way to have configure find specific libraries, and is not specific to stunnel itself. What to do when stunnel fails Firstly, the most important things to try when you are having trouble running stunnel is to: run with full debug mode debug = 7 if running the daemon, run it in the foreground foreground = yes Doing this gives you the best chance of catching the errors in the log on the screen. I do not have the openssl binary / Cannot make stunnel.pem! If you do not have the openssl program (for example you are using the pre-compiled version of stunnel on a Windows machine) then you need to generate an stunnel.pem file in some other manner. You can find a spare Unix workstation that does have OpenSSL installed, for example. When I run stunnel, it just sits there, it does not listen for requests! You are probably missing the [service] definition in your config. For example: pid = /stunnel.pid setuid = nobody setgid = nobody debug = local6.err foreground = no client = yes [mysyslog] accept = localhost:syslog connect = logging:syslogs Without that [mysyslog] line, stunnel assumes you want to operate in inetd-style mode. I get the error "Wrong permi
compilation issue on Mac OS X 10.5 powerpc Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Many thanks Mike. You were right. There is something wrong with my manual install of openssl 1.0.0e. I just recompiled stunnel 4.47 from sources, using the openssl libraries provided by fink and it went like a charm. However, I'm now running into another issue. I'm trying to configure stunnel with sni. I read the man page, the how to, the previous mailing list messages and googled as much as I could but can't seem to find https://www.stunnel.org/faq.html an answer. When I configure stunnel to tunnelize http (i.e. [https] service), everything works fine. When I configure stunnel with sni to tunnelize several virtual hosts (i.e. [virtual] + [sni1] + [sni2]), it crashes on a segmentation fault when testing the connection to the virtual host with openssl or with a brower. When I configure only the virtual service without any sni virtual hosts (i.e. [virtual] only https://www.stunnel.org/pipermail/stunnel-users/2011-November/003365.html without any defined sni), everything runs fine. I'm running into the exact same issue with stunnel 4.46 installed from fink - SNI won't work which is very sad. I have the feeling that this is related to the OpenSSL distributed by Fink and I'm currently checking with the maintainer whether the distributed pre-compiled OpenSSL was compiled with --enable-tls Do you think that this might be related to something wrong in fink's openssl or the fink openssl libraries against which I have build stunnel? I'm currently checking with the maintainer of the ssl package on Fink whether it has been built with the --enable-tlsext option, but it seems that it has been (I've been trying to run an OpenSSL server with -tls option and connect with an OpenSSL client with -tls option and it connects correctly). Here is the console output of stunnel in foreground debug mode: 2011.11.23 20:21:38 LOG7[26580:2689165344]: Clients allowed=125 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=3 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=4 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG5[26580:2689165344]: stunnel 4.47 on powerpc-apple-darwin9.8.0 platform 2011.11.23 20:21:38 LOG5[26580:2689165344]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2011.11.23 20:21:38 LOG5[26580:2689165344]: Threading:PTHREAD SSL:ENGINE Auth:none Sockets:SELECT,IPv4 2011.11.23 20:21:38 LOG5[26580:2689165344]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf 2011
Stunnel Quick certificate overview. What's a certificate? Do I need a valid certificate? Genererating the stunnel private key (pem). But I don't have the openssl binary! How can I get rid of a passphrase on my key? Problems with a self-signed http://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html certificate. Do I need to have a Certificate Authority sign my key? How can https://forum.directadmin.com/archive/index.php/t-8767.html I have my key signed by a CA? Can I set up my own CA instead? How does stunnel check certificates? Where do I put all these certificates? Where can I get a copy of official CA certificates? How do I import/trust a certificate into Outlook/Outlook Express/IE/etc How do I convert a PKCS12 error reading certificate to PEM form? Other useful web pages (not necessarily stunnel specific) Setting up your own CA -- Useful URLs Using Certificates with Stunnel A full description of how certificates work is beyond the scope of this FAQ. For that, go read the SSL Certificates HOWTO. Here I'll try to explain how certs work with Stunnel itself. Quick certificate overview. Every stunnel server has a private key. This error reading certificate is contained in the pem file which stunnel uses to initialize it's identity. (PEM stands for 'privacy enhanced mail' which is now much more liberally used as a key format) This private key is put in /usr/local/ssl/certs/stunnel.pem by default, however you should check the output of stunnel -h to verify. You can use a non-default keyfile if you wish by supplying the '-p' argument to stunnel. An SSL server should also present a certificate. Stunnel generates self-signed certificates by default during the installation. It is possible to have your key signed by a third party (certificate authority) instead if you wish. What's a certificate? When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a 'Certificate Authority' (hereafter a CA) -- usually a trusted third party like Verisign. A client will accept this certificate only if The certificate presented matches the private key being used by the remote end. The certificate has been signed correctly by the CA. The client recognizes the CA as trusted. It is also possible for an SSL client to present a ce
2005.06.24 11:56:38 LOG3[742:3086956768]: Error reading certificate file: /etc/stunnel/mail.chiptecmm.com.pem 2005.06.24 11:56:38 LOG3[742:3086956768]: error stack: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2005.06.24 11:56:38 LOG3[742:3086956768]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line My stunnel.conf stand for --------------------------------------------- #stunnel conf cert = /etc/stunnel/mail.chiptecmm.com.pem pid = /var/run/stunnel/run/stunnel.pid setuid = nobody setgid = nobody # workaround options = DONT_INSERT_EMPTY_FRAGMENTS #some debugging debug = 3 output = /var/log/stunnel.org # service level configuration [pop3s] accept = 81.92.198.224:995 connect = 110 [imaps] accept = 81.92.198.224:993 connect = 143 [smtps] accept = 81.92.198.224:465 connect = 25 --------------------------------------------- Any help is very welcomed ............................................................ If helps - i still getting this error ............................................................ [root@server01 ~]# /usr/sbin/stunnel -d 995 -p /usr/share/ssl/certs/stunnel.pem -r localhost:pop3 2005.06.24 14:45:23 LOG3[7147:3086956768]: -d: No such file or directory (2) Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options [root@server01 ~]# toml06-24-2005, 02:23 PMJust a guess here, but by the looks of that error, I would say you have a chained certificate which requires more than just your certificate, you need the chained CA public certificate. If you concatenate the two, that should work. As far as the error you get with executing stunnel, tho