Hi,
I want to use stunnel to enable ssl on port 995.
Unfortunately, I got "SSL error: Unable to verify the first certificate." when using the gmail pop3 retrieval
My Certificate is signed by wosign and included in the mozialla truststore list.
https://www.ssllabs.com/ssltest/analyze.html gives me a grad A for my apache configuration and chrome and firefox are also fine with this certificate. So it's no self signed one.

For a test I have configured stunnel to serve https. I get than the message that the chain is incomplete.
According to https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm this could be one reason for this error.

My Apache-config looks like this
SSLCertificateFile    /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl//mydomain.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem

for stunnel I used

cert = /etc/apache2/ssl/mydomain.crt
key = /etc/apache2/ssl//mydomain.key
CAfile = /etc/apache2/ssl/1_root_bundle.crt  or ca-certs.pem (I have tried both).

What is the a similar configuration in stunnel?

The Post https://www.stunnel.org/pipermail/stunnel-users/2010-February/002594.html mentioned, that the chain must be completely in the crt-file.
But a description how to achieve this is missing and I found no other resources describing this.

Thanks a lot
Tobias