I'm having a similar problem trying to set up stunnel. I'm trying to stunnel a ws:// connection to wss://
I'm using a Let's Encrypt certificate that works fine for Apache and for Postfix.
I'm getting this in the logs:
2024.08.06 17:01:17 LOG7[ui]: Service [realms] accepted (FD=3) from 142.112.150.54:63628 2024.08.06 17:01:17 LOG7[0]: Service [realms] started 2024.08.06 17:01:17 LOG7[0]: Setting local socket options (FD=3) 2024.08.06 17:01:17 LOG7[0]: Option TCP_NODELAY set on local socket 2024.08.06 17:01:17 LOG5[0]: Service [realms] accepted connection from 142.112.150.54:63628 2024.08.06 17:01:17 LOG6[0]: Peer certificate not required 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): before/accept initialization 2024.08.06 17:01:17 LOG7[0]: Get session callback 2024.08.06 17:01:17 LOG7[0]: Initializing application specific data for session authenticated 2024.08.06 17:01:17 LOG7[0]: SNI: no virtual services defined 2024.08.06 17:01:17 LOG7[0]: OCSP stapling: Server callback called 2024.08.06 17:01:17 LOG6[0]: OCSP: The root CA certificate was not found 2024.08.06 17:01:17 LOG5[0]: OCSP: Connecting the AIA responder "http://r11.o.lencr.org" 2024.08.06 17:01:17 LOG6[0]: s_connect: connecting 23.223.17.211:80 2024.08.06 17:01:17 LOG7[0]: s_connect: s_poll_wait 23.223.17.211:80: waiting 5 seconds 2024.08.06 17:01:17 LOG7[0]: FD=6 events=0x2001 revents=0x0 2024.08.06 17:01:17 LOG7[0]: FD=10 events=0x2005 revents=0x1 2024.08.06 17:01:17 LOG5[0]: s_connect: connected 23.223.17.211:80 2024.08.06 17:01:17 LOG7[0]: OCSP: Connected r11.o.lencr.org:80 2024.08.06 17:01:17 LOG7[0]: OCSP: Response received 2024.08.06 17:01:17 LOG7[0]: OCSP: Validate the OCSP response 2024.08.06 17:01:17 LOG3[0]: OCSP: OCSP responder error: 6: unauthorized 2024.08.06 17:01:17 LOG6[0]: OCSP: No OCSP stapling response to send 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 read client hello B 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write server hello A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write certificate A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write key exchange A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write certificate request A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 flush data 2024.08.06 17:01:17 LOG7[0]: TLS alert (read): fatal: certificate unknown 2024.08.06 17:01:17 LOG3[0]: SSL_accept: s3_pkt.c:1493: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 2024.08.06 17:01:17 LOG5[0]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2024.08.06 17:01:17 LOG7[0]: Deallocating application specific data for session connect address 2024.08.06 17:01:17 LOG7[0]: Local descriptor (FD=3) closed 2024.08.06 17:01:17 LOG7[0]: Service [realms] finished (0 left)
This is my current stunnel.conf:
;setuid = nobody ;setgid = nobody
debug = 7 foreground = yes ;output = /var/log/stunnel.log verify = 0
[realms] accept = 4043 connect = 4040 TIMEOUTclose=0 cert = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/cacert.pem ;fips=no ;sslVersion = TLSv1.2 sslVersion = all ;options = NO_SSLv2 ;options = NO_SSLv3