I've another issue, it's quite close to be fully working.


I've the base.conf and mansonthomas.com.conf and extranet.oneothersite.com.conf

when all 3 config file are activated (ie ends with .conf), then I only see

Couples of questions (before detailed config/output etc...) :


find below all the details!


Regards,
Thomas.



If I disable  extranet.oneothersite.com                    (move extranet.oneothersite.com.conf to extranet.oneothersite.com.conf_)
and start stunnel I see  :

root@ns0:/etc/stunnel# service stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.

ps excerpt :

    1 12950 12925  1305 pts/0    12956 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 12951 12925  1305 pts/0    12956 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 12952 12925  1305 pts/0    12956 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 12953 12925  1305 pts/0    12956 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 12954 12925  1305 pts/0    12956 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 12955 12955 12955 ?           -1 Ss       0   0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/

And I can successfully connect with HTTPS on https://mansonthomas.com with no SSL error ! (youpi ! ;))


If I enable extranet.oneothersite.com.conf configuration by renaming extranet.oneothersite.com.conf_ to extranet.oneothersite.com.conf

and I stop and start here is what I get :


root@ns0:/etc/stunnel# service stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/extranet.othersite.com.conf] [Already running: /etc/stunnel/mansonthomas.com.conf] stunnel.

while it's not running. the previous service stunnel4 stop kill all the process, no one left in memory.

a ps  output after restart :

    1 12377 12377 12377 ?           -1 Ss     110   0:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid TERM=screen-bce PATH=/sbin:/usr/sbin:/bin:/usr/bin LANG=en_US.UTF-8 PWD=/
    1 14055 14044  1305 pts/0    14085 S      109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14056 14044  1305 pts/0    14085 S      109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14057 14044  1305 pts/0    14085 S      109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14058 14044  1305 pts/0    14085 S      109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14059 14044  1305 pts/0    14085 S      109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14060 14060 14060 ?           -1 Ss     109   0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
    1 14069 14044  1305 pts/0    14085 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
    1 14070 14044  1305 pts/0    14085 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
    1 14071 14044  1305 pts/0    14085 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
    1 14072 14044  1305 pts/0    14085 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
    1 14073 14044  1305 pts/0    14085 S        0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
    1 14074 14074 14074 ?           -1 Ss       0   0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P

can't see mansonthomas.com
And if I try to reach https://mansonthomas.com it fails.


here is my current configuration  :


root@ns0:/etc/stunnel# cat base.conf
============================================================================
debug = 7


sslVersion = SSLv3
cert=/etc/stunnel/sites/123monsite.com/123monsite.com.crt
key=/etc/stunnel/sites/123monsite.com/123monsite.com.key


; security enhancements for UNIX systems
; for chroot a copy of some devices and files is needed within the jail
;chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid


socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel4/stunnel.log

[https-123monsite.com]
accept=88.190.17.222:443
connect=127.0.0.1:82
root@ns0:/etc/stunnel#
============================================================================


root@ns0:/etc/stunnel# cat mansonthomas.com.conf
============================================================================
[mansonthomas.com]
key           = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.key
cert          = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
accept        = 88.190.217.117:443
connect       = 127.0.0.1:82

sslVersion = SSLv3
TIMEOUTclose  = 0
============================================================================
root@ns0:/etc/stunnel#



root@ns0:/etc/stunnel# cat extranet.othersite.com.conf
============================================================================
[extranet.othersite.com]
key           = /etc/stunnel/sites/extranet.othersite.com/extranet.othersite.com.key
cert          = /etc/stunnel/sites/extranet.othersite.com/extranet.othersite.com.crt
accept        = 88.190.100.100:443
connect       = 127.0.0.1:82

sslVersion = SSLv3
TIMEOUTclose  = 0
============================================================================
root@ns0:/etc/stunnel#



here is the log file :


root@ns0:/var/log/stunnel4# cat stunnel.log
2012.02.23 13:47:05 LOG5[14241:140531800237856]: Reading configuration from file /etc/stunnel/base.conf
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Snagged 64 random bytes from /dev/urandom
2012.02.23 13:47:05 LOG7[14241:140531800237856]: PRNG seeded successfully
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Using DH parameters from /etc/stunnel/sites/123monsite.com/123monsite.com.crt
2012.02.23 13:47:05 LOG6[14241:140531800237856]: DH initialized with 2048 bit key
2012.02.23 13:47:05 LOG7[14241:140531800237856]: ECDH initialized
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate: /etc/stunnel/sites/123monsite.com/123monsite.com.crt
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate loaded
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Key file: /etc/stunnel/sites/123monsite.com/123monsite.com.key
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Private key loaded
2012.02.23 13:47:05 LOG7[14241:140531800237856]: SSL context initialized for service https-123monsite.com
2012.02.23 13:47:05 LOG5[14241:140531800237856]: Configuration successful
2012.02.23 13:47:05 LOG5[14241:140531800237856]: No limit detected for the number of clients
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=3 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=8 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=9 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=10 allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: accept socket: FD=11 allocated (non-blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Option SO_REUSEADDR set on accept socket
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service https-123monsite.com bound to 88.190.17.222:443
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service https-123monsite.com opened FD=11
2012.02.23 13:47:05 LOG7[14247:140531800237856]: Created pid file /var/run/stunnel4/stunnel4.pid
2012.02.23 13:47:05 LOG5[14247:140531800237856]: stunnel 4.35 on x86_64-pc-linux-gnu with OpenSSL 1.0.0e 6 Sep 2011
2012.02.23 13:47:05 LOG5[14247:140531800237856]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP








On Thu, Feb 23, 2012 at 11:14, Thomas Manson <dev.mansonthomas@gmail.com> wrote:
root@ns0:/etc/stunnel# service stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.


Yes !

In fact, my config file was missing the private key :

[mansonthomas.com]
cert          = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
accept        = 88.190.217.117:443
connect       = 127.0.0.1:82

TIMEOUTclose  = 0

I've added the key, and now it starts ;)

Thanks for your help !

Regards,
Thomas.

On Thu, Feb 23, 2012 at 09:39, Ludolf Holzheid <lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:
> [..]
>
>  the CRT file is generated by my registrar. If it's in the wrong format,
> How can I convert it?
>
> [..]
>
> Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
> error queue: 140B0009 : error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib
> SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> [..]
>
> root@ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt
> -----BEGIN CERTIFICATE-----
> [..]
> -----END CERTIFICATE-----
> -----BEGIN DH PARAMETERS-----
> .....
> -----END DH PARAMETERS-----

Thomas,

If there is no "-----BEGIN RSA PRIVATE KEY-----" in
mansonthomas.com.crt, then there is no key in.

You should be provided with a file containing the key.

If this is in DER format (*.pfx or *.p12), you'll have to convert it
first:

  openssl pkcs12 -in <der file> -out <pem file>

HTH,

Ludolf

--

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid@bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------