I'm running stunnel 4.14 on Darwin 7.0.0 (Mac OS X Server 10.4.11), with OpenSSL 0.9.71.
I purchased a security certificate from comodo, and was able to get it installed and working (mostly) with stunnel, but when I browse to the website, I get an error that the the browser can't verify the identity of the site, due to a problem w/the security cert.
I called comodo, and they the error is caused by stunnel not seeing the intermediate certificate files that they told me need to be installed in order for their certificate to work. These files were:
ComodoUTNServerCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt EssentialSSLCA.crt my_server_net.crt
I modified stunnel.conf, and included this line:
CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)
But the error persists. Can anyone tell me if what comodo support is telling me is even correct? I've verified that my .key and .crt files match by running:
$ openssl x509 -noout -modulus -in server.crt | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5
And the output of both matches. Not sure what to try next.
Any help much appreciated!
Thanks in advance...
On Tue, 2008-03-11 22:46:31 -0700, sf.techguy@gmail.com wrote:
[..] These files were:
ComodoUTNServerCA.crt [..]
I modified stunnel.conf, and included this line:
CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)
But the error persists.
Hi anonymous questioner,
As far as I remember, the certificates have to be in PEM format in order to be used by stunnel. (The '.crt' extension makes me suppose they are in DER format.) You may use openssl to convert from DER to PEM:
openssl pkcs12 -in filename.crt -out filename.pem
Moreover, the files containing the certificates need to have special file names. The 'c_rehash' utility takes care for that.
HTH,
Ludolf
Approximately 2008-03-11 22:46 -0700, sf.techguy@gmail.com cajoled:
I purchased a security certificate from comodo, and was able to get it installed and working (mostly) with stunnel, but when I browse to the website, I get an error that the the browser can't verify the identity of the site, due to a problem w/the security cert.
I called comodo, and they the error is caused by stunnel not seeing the intermediate certificate files that they told me need to be installed in order for their certificate to work. These files were:
ComodoUTNServerCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt EssentialSSLCA.crt my_server_net.crt
I modified stunnel.conf, and included this line:
CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)
CAPath is for verifying the certs of others - this is not the configuration directive you're looking for.
Concatenate the pems for both your server's key, cert, and all intermediate certs - use that as your stunnel.pem (or whatever you have named it.) This way when your stunnel server sends the client (browser) its cert, it sends both the cert and those other entities in the chain, and the browser should have the full picture of the chain of trust.
-
Brian Hatch -
Ludolf Holzheid -
sf.techguy@gmail.com