Greetings;
Stunnel 4.56 running under Win 7 SP1 x86.
Recently, the owners of a server I regularly connect to updated their server certificate; the former had expired at the end of May.
As soon as that event occurred, I deleted the old certificate, then used the "save peer certificate" function of Stunnel to get the updated one.
However, the new certificate fails to verify, even with the verify = 4 option in Stunnel. The error message is similar to what I used to get when doing a verify = 3 with some certificates. The general error output of Stunnel is:
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
When I open the new certificate with:
openssl x509 -text -in certname.pem
and view the certificate details, I'm not seeing anything obvious. The certificate is within a valid date range, and contains the same basic elements as other certs I've viewed. The certificate appears to have been issued by Startcom LLC.
If I comment out the verify statement, I'm able to successfully negotiate an SSL connection with the server.
I realize that this may be more of an openssl issue than an issue with Stunnel. Nevertheless, I thought I'd start here and throw it out to the floor for comments.
Anyone have any ideas or have run into this issue?
Regards,
Thomas
On 2013-06-10 00:06, Thomas Eifert wrote:
As soon as that event occurred, I deleted the old certificate, then used the "save peer certificate" function of Stunnel to get the updated one.
Did you update your configuration file to use the new certificate (CAfile option)?
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
This is what your error suggests...
Anyone have any ideas or have run into this issue?
It would be much easier to help you if you included your configuration file and a larger sample of logs.
Best regards, Michal Trojnara
Nailed it. I appended the saved peer certificate with the certificate of the CA. Why Stunnel needs it with verify = 4 is unknown.
Thomas
On 6/12/2013 12:27 PM, Michal Trojnara wrote:
On 2013-06-10 00:06, Thomas Eifert wrote:
As soon as that event occurred, I deleted the old certificate, then used the "save peer certificate" function of Stunnel to get the updated one.
Did you update your configuration file to use the new certificate (CAfile option)?
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
This is what your error suggests...
Anyone have any ideas or have run into this issue?
It would be much easier to help you if you included your configuration file and a larger sample of logs.
Best regards, Michal Trojnara
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Thomas Eifert