Hi Jose, I have exported the certificate from AVG and appended it to my ca-certs.pem using a text editor. To make it easier to read I included a line break before the appended text thus: -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- I’m testing with my Zen connection for convenience: [zen-pop3] client = yes accept = 127.0.0.1:26110 connect = mailhost.zen.co.uk:995 CAfile = ca-certs.pem verifyChain = yes checkHost = mailhost.zen.co.uk OCSPaia = yes It succeeds. The log shows: 2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] accepted connection from 127.0.0.1:63471 2026.05.31 20:39:42 LOG5[2]: s_connect: connected 212.23.1.11:995 2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] connected remote server from 127.0.0.1:63472 2026.05.31 20:39:42 LOG5[2]: Certificate accepted at depth=0: CN=*.zen.co.uk 2026.05.31 20:39:42 LOG5[2]: Connection closed: 71 byte(s) sent to TLS, 6771 byte(s) sent to socket Thank you so much for your help. Regards, == Graham From: Jose Alf. [mailto:josealf@rocketmail.com] Sent: 31 May 2026 17:53 To: stunnel-users@lists.stunnel.org; graham@lorien56.co.uk Subject: Re: [stunnel-users] Certificate rejected ...? Hi Graham, The issue you have is due to your locally installed AVG Security product. In order to do a security scan/review of your encrypted connections (web, SMTP, IMAP), AVG works as a man-in-the-middle and is intercepting the connection that Stunnel is trying to do to mail.lopham.co.uk and presenting a certificate signed by a local CA that is unknown to Stunnel. I understand that you can configure AVG to disable this TLS scanning/interception, but most likely you want to keep it enabled and to avoid the failure in Stunnel you must add the local AVG CA root certificate to the file ca-certs.pem, You need to export the cert in PEM format and append it to your ca-certs.pem with a text editor. See: https://support.avg.com/SupportArticleView?l=en <https://support.avg.com/SupportArticleView?l=en&urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert> &urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert Hope this helps. Regards, Jose A. Diaz On Sunday, May 31, 2026 at 01:26:29 AM GMT-5, Graham Jones via stunnel-users <stunnel-users@lists.stunnel.org> wrote: I'm new to Stunnel. stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro. During installation, the process walked me through the creation of a certificate. I have these settings: [Lopham-imap] client = yes accept = 127.0.0.1:52143 connect = mail.lopham.co.uk:993 CAfile = ca-certs.pem The connection succeeds. I add the following lines: verifyChain = yes checkHost = mail.lopham.co.uk OCSPaia = yes The connection fails with the following lines in the log: 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root 2026.05.30 21:45:52 LOG3[2]: SSL_connect: tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124: error:0A000086:SSL routines::certificate verify failed: client 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket I see it finds the self-signed certificate in certificate chain. Why is this rejected? Any ideas, please? Regards, == Graham _______________________________________________ stunnel-users mailing list -- stunnel-users@lists.stunnel.org To unsubscribe send an email to stunnel-users-leave@lists.stunnel.org