I've been attempting to include an intermediate chain for my stunnel setup. First, I previously used an entrust-signed certificate with stunnel just fine, but now I've purchased one from godaddy ($190 for 3 certs for 5 years!). The only problem is that the server has multiple certificates to install. Under Apache, I solved it with this:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
Which works just fine. With stunnel I attempted this configuration:
cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key CAfile = /etc/stunnel/godaddy.crt
All those files are identical to the Apache configuration. Stunnel starts up, but clients loudly complain that the certificate is not valid. If I examine the certificate in Thunderbird (I use stunnel for IMAPS and POP3S), it correctly identifies the cert as being from GoDaddy and that it will expire in 2015. But for some reason, the chain to its root server is broken.
What am I doing wrong?
-- Craig Kelley http://inconnu.islug.org/~ink finger same server for PGP block
Hi Craig,
On Wed, Feb 17, 2010 at 10:28:03AM -0700, Craig Kelley wrote:
I've been attempting to include an intermediate chain for my stunnel setup. First, I previously used an entrust-signed certificate with stunnel just fine, but now I've purchased one from godaddy ($190 for 3 certs for 5 years!). The only problem is that the server has multiple certificates to install. Under Apache, I solved it with this:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
Which works just fine. With stunnel I attempted this configuration:
cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key CAfile = /etc/stunnel/godaddy.crt
All those files are identical to the Apache configuration. Stunnel starts up, but clients loudly complain that the certificate is not valid. If I examine the certificate in Thunderbird (I use stunnel for IMAPS and POP3S), it correctly identifies the cert as being from GoDaddy and that it will expire in 2015. But for some reason, the chain to its root server is broken.
What am I doing wrong?
The way it works in stunnel is that your godaddy.crt should contain the certificate chain up to the self-signed root CA.
Regards,
On Thu, 18 Feb 2010, Jeremie Le Hen wrote:
The way it works in stunnel is that your godaddy.crt should contain the certificate chain up to the self-signed root CA.
Thanks; that works perfectly.
-- Craig Kelley http://inconnu.islug.org/~ink finger same server for PGP block
-
Craig Kelley -
Jeremie Le Hen