I've been attempting to include an intermediate chain for my stunnel setup. First, I previously used an entrust-signed certificate with stunnel just fine, but now I've purchased one from godaddy ($190 for 3 certs for 5 years!). The only problem is that the server has multiple certificates to install. Under Apache, I solved it with this:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
Which works just fine. With stunnel I attempted this configuration:
cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key CAfile = /etc/stunnel/godaddy.crt
All those files are identical to the Apache configuration. Stunnel starts up, but clients loudly complain that the certificate is not valid. If I examine the certificate in Thunderbird (I use stunnel for IMAPS and POP3S), it correctly identifies the cert as being from GoDaddy and that it will expire in 2015. But for some reason, the chain to its root server is broken.
What am I doing wrong?
-- Craig Kelley http://inconnu.islug.org/~ink finger same server for PGP block