Hi,
I want to setup the following architecture :
stunnel ---> haproxy --> 2 webserver.
I run severa virtual host on the 2 webservers, and a subset of them needs https.
I can allocate several IP address for the host that run stunnel.
How do I configure a single stunnel process to have a certificate per IP for the port https?
I tryed to add several section like the following :
[mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.17.222:443 connect = 127.0.0.1:82
xforwardedfor = yes TIMEOUTclose = 0
So the question is : Is it possible ? do you have a sample configuration file to share for this use case?
Thanks, Thomas.
On Fri, Feb 10, 2012 at 10:09 PM, Thomas Manson dev.mansonthomas@gmail.comwrote:
Hi,
I want to setup the following architecture :
stunnel ---> haproxy --> 2 webserver.
I run severa virtual host on the 2 webservers, and a subset of them needs https.
I can allocate several IP address for the host that run stunnel.
How do I configure a single stunnel process to have a certificate per IP for the port https?
I tryed to add several section like the following :
[mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.17.222:443 connect = 127.0.0.1:82
xforwardedfor = yes TIMEOUTclose = 0
So the question is : Is it possible ? do you have a sample configuration file to share for this use case?
Hi,
I don't know if 'accept' supports IP but you can use several ports on the same IP and redirect these ports with iptables to the dedicated IP
---- Kevin Decherf - M: +33 681194547 - T: @Kdecherf
Accept does takes the ip :
*accept = address*
accept connections on specified address
*If no host specified, defaults to all IPv4 addresses for the local host.*
To listen on all IPv6 addresses use:
connect = :::port
And having a port different than 443 is not acceptable. (lot of accept word :D)
Thomas.
On Fri, Feb 10, 2012 at 22:17, Kevin Decherf kevin@kdecherf.com wrote:
On Fri, Feb 10, 2012 at 10:09 PM, Thomas Manson < dev.mansonthomas@gmail.com> wrote:
Hi,
I want to setup the following architecture :
stunnel ---> haproxy --> 2 webserver.
I run severa virtual host on the 2 webservers, and a subset of them needs https.
I can allocate several IP address for the host that run stunnel.
How do I configure a single stunnel process to have a certificate per IP for the port https?
I tryed to add several section like the following :
[mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.17.222:443 connect = 127.0.0.1:82
xforwardedfor = yes TIMEOUTclose = 0
So the question is : Is it possible ? do you have a sample configuration file to share for this use case?
Hi,
I don't know if 'accept' supports IP but you can use several ports on the same IP and redirect these ports with iptables to the dedicated IP
Kevin Decherf - M: +33 681194547 - T: @Kdecherf
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Sat, Feb 11, 2012 at 12:48 AM, Thomas Manson dev.mansonthomas@gmail.comwrote:
And having a port different than 443 is not acceptable.
Why ?
On Sat, Feb 11, 2012 at 1:25 AM, Kevin Decherf kevin@kdecherf.com wrote:
On Sat, Feb 11, 2012 at 12:48 AM, Thomas Manson < dev.mansonthomas@gmail.com> wrote:
And having a port different than 443 is not acceptable.
Why ?
Note: You don't have a port different than 443 for the public IP x.x.x.x:443 > iptables table nat chain PREROUTING > 127.0.0.1:12345(stunnel) y.y.y.y:443 > iptables table nat chain PREROUTING > 127.0.0.1:12346(stunnel)
Thomas,
Your config looks fine. If not working, Set debug=7 in stunnel.conf and post your log.
Jose -----Original Message----- From: Thomas Manson dev.mansonthomas@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Fri, 10 Feb 2012 22:09:38 To: stunnel-users@stunnel.org Subject: [stunnel-users] Multiple Domains for https
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hello,
Sorry for the delay, soooo much things to do and I add trouble to get extra IP from my ISP.
Now this things are sorted, I've an issue when I add one more domain.
the CRT file is generated by my registrar. If it's in the wrong format, How can I convert it?
root@ns0:/var/log/stunnel4# service stunnel4 start Starting SSL tunnels: [Started: /etc/stunnel/base.conf] Reading configuration from file /etc/stunnel/mansonthomas.com.conf Snagged 64 random bytes from /dev/urandom PRNG seeded successfully Using DH parameters from /etc/stunnel/sites/ mansonthomas.com/mansonthomas.com.crt DH initialized with 2048 bit key ECDH initialized Certificate: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt Certificate loaded Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt error queue: 140B0009 : error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line [Failed: /etc/stunnel/mansonthomas.com.conf] You should check that you have specified the pid= in you configuration file
*The CRT file look like this : * root@ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt -----BEGIN CERTIFICATE----- MIIE3zCCA8egCwIBAgIRAJhidFW4DBk0X/aIvC6ZYNUwDQYJKoZIhvcNAQEF BQAw4TELMAkGA1aEBhMCRlIxEjAQBgNVBAoTCUdBTkR34FNBUzEeMBwGA1UE AxMVR2FuZGkgU3RhbZRhc1QgU1NMIENBMB4XDTExGTAxNDAwPDAwMFoXDTE ...
DbAzOLhzx0BQKBZHtNzCDD9kwPYg4w4PhVcgTTrLkNdcr3Fh -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- ..... -----END DH PARAMETERS-----
/etc/stunnel/base.conf ====================================
root@ns0:/etc/stunnel# cat base.conf debug = 7
sslVersion = SSLv3 cert=/etc/stunnel/sites/mysite.com/mysite.com.crt key=/etc/stunnel/sites/mysite.com/mysite.com.key
; security enhancements for UNIX systems ; for chroot a copy of some devices and files is needed within the jail ;chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = /var/log/stunnel.log
[https-mysite.com] accept=88.190.17.222:443 connect=127.0.0.1:82 ====================================
root@ns0:/etc/stunnel# cat mansonthomas.com.conf ==================================== [mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.217.117:443 connect = 127.0.0.1:82
TIMEOUTclose = 0 ====================================
Strangely, there is no file /var/log/stunnel.log but a 0 length file in /var/log/stunnel4/stunnel.log
root@ns0:/etc/stunnel# ll /var/log/stunnel4/stunnel.log -rw-r--r-- 1 stunnel4 stunnel4 0 2012-01-17 20:31 /var/log/stunnel4/stunnel.log
Any idea?
Regards, Thomas.
On Sat, Feb 11, 2012 at 13:34, josealf@rocketmail.com wrote:
Thomas,
Your config looks fine. If not working, Set debug=7 in stunnel.conf and post your log.
Jose -----Original Message----- From: Thomas Manson dev.mansonthomas@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Fri, 10 Feb 2012 22:09:38 To: stunnel-users@stunnel.org Subject: [stunnel-users] Multiple Domains for https
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:
[..]
the CRT file is generated by my registrar. If it's in the wrong format, How can I convert it?
[..]
Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt error queue: 140B0009 : error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line [..]
root@ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt -----BEGIN CERTIFICATE----- [..] -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- ..... -----END DH PARAMETERS-----
Thomas,
If there is no "-----BEGIN RSA PRIVATE KEY-----" in mansonthomas.com.crt, then there is no key in.
You should be provided with a file containing the key.
If this is in DER format (*.pfx or *.p12), you'll have to convert it first:
openssl pkcs12 -in <der file> -out <pem file>
HTH,
Ludolf
root@ns0:/etc/stunnel# service stunnel4 start Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.
Yes !
In fact, my config file was missing the private key :
[mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.217.117:443 connect = 127.0.0.1:82
TIMEOUTclose = 0
I've added the key, and now it starts ;)
Thanks for your help !
Regards, Thomas.
On Thu, Feb 23, 2012 at 09:39, Ludolf Holzheid lholzheid@bihl-wiedemann.dewrote:
On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:
[..]
the CRT file is generated by my registrar. If it's in the wrong format, How can I convert it?
[..]
Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt error queue: 140B0009 : error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line [..]
root@ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt -----BEGIN CERTIFICATE----- [..] -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- ..... -----END DH PARAMETERS-----
Thomas,
If there is no "-----BEGIN RSA PRIVATE KEY-----" in mansonthomas.com.crt, then there is no key in.
You should be provided with a file containing the key.
If this is in DER format (*.pfx or *.p12), you'll have to convert it first:
openssl pkcs12 -in <der file> -out <pem file>
HTH,
Ludolf
--
Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany
I've another issue, it's quite close to be fully working.
I've the base.conf and mansonthomas.com.conf and extranet.oneothersite.com.conf
when all 3 config file are activated (ie ends with .conf), then I only see
- base.conf (123monsite.com in the logs) - extranet.othersite.conf running,
- mansonthomas.conf seems to be skipped
Couples of questions (before detailed config/output etc...) :
- Is there something particular to do in the config file to have multiple domain running with stunnel ? - How can I set debug/pid file on other domain ?
I've tryed to put debug & output config properties inside mansonthomas.com and extranet.othersite.com, but with I start it says it's not allowed here. (i've putted it after the [mansonthomas.com] line)
find below all the details!
Regards, Thomas.
If I disable extranet.oneothersite.com (move extranet.oneothersite.com.conf to extranet.oneothersite.com.conf_) and start stunnel I see :
root@ns0:/etc/stunnel# service stunnel4 start Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.
ps excerpt :
1 12950 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 12951 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 12952 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 12953 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 12954 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 12955 12955 12955 ? -1 Ss 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/
And I can successfully connect with HTTPS on https://mansonthomas.com with no SSL error ! (youpi ! ;))
If I enable extranet.oneothersite.com.conf configuration by renaming extranet.oneothersite.com.conf_ to extranet.oneothersite.com.conf
and I stop and start here is what I get :
root@ns0:/etc/stunnel# service stunnel4 start Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/extranet.othersite.com.conf] [Already running: /etc/stunnel/mansonthomas.com.conf] stunnel.
while it's not running. the previous service stunnel4 stop kill all the process, no one left in memory.
a ps output after restart :
1 12377 12377 12377 ? -1 Ss 110 0:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid TERM=screen-bce PATH=/sbin:/usr/sbin:/bin:/usr/bin LANG=en_US.UTF-8 PWD=/ 1 14055 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14056 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14057 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14058 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14059 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14060 14060 14060 ? -1 Ss 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/ 1 14069 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P 1 14070 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P 1 14071 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P 1 14072 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P 1 14073 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P 1 14074 14074 14074 ? -1 Ss 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P
can't see mansonthomas.com And if I try to reach https://mansonthomas.com it fails.
here is my current configuration :
root@ns0:/etc/stunnel# cat *base.conf* ============================================================================ debug = 7
sslVersion = SSLv3 cert=/etc/stunnel/sites/123monsite.com/123monsite.com.crt key=/etc/stunnel/sites/123monsite.com/123monsite.com.key
; security enhancements for UNIX systems ; for chroot a copy of some devices and files is needed within the jail ;chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /var/run/stunnel4/stunnel4.pid
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = /var/log/stunnel4/stunnel.log
[https-123monsite.com] accept=88.190.17.222:443 connect=127.0.0.1:82 root@ns0:/etc/stunnel# ============================================================================
root@ns0:/etc/stunnel# cat* mansonthomas.com.conf* ============================================================================ [mansonthomas.com] key = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.key cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.217.117:443 connect = 127.0.0.1:82
sslVersion = SSLv3 TIMEOUTclose = 0 ============================================================================ root@ns0:/etc/stunnel#
root@ns0:/etc/stunnel# cat *extranet.othersite.com.conf* ============================================================================ [extranet.othersite.com] key = /etc/stunnel/sites/ extranet.othersite.com/extranet.othersite.com.key cert = /etc/stunnel/sites/ extranet.othersite.com/extranet.othersite.com.crt accept = 88.190.100.100:443 connect = 127.0.0.1:82
sslVersion = SSLv3 TIMEOUTclose = 0 ============================================================================ root@ns0:/etc/stunnel#
here is the log file :
root@ns0:/var/log/stunnel4# cat stunnel.log 2012.02.23 13:47:05 LOG5[14241:140531800237856]: Reading configuration from file /etc/stunnel/base.conf 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Snagged 64 random bytes from /dev/urandom 2012.02.23 13:47:05 LOG7[14241:140531800237856]: PRNG seeded successfully 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Using DH parameters from /etc/stunnel/sites/123monsite.com/123monsite.com.crt 2012.02.23 13:47:05 LOG6[14241:140531800237856]: DH initialized with 2048 bit key 2012.02.23 13:47:05 LOG7[14241:140531800237856]: ECDH initialized 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate: /etc/stunnel/sites/123monsite.com/123monsite.com.crt 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate loaded 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Key file: /etc/stunnel/sites/123monsite.com/123monsite.com.key 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Private key loaded 2012.02.23 13:47:05 LOG7[14241:140531800237856]: SSL context initialized for service https-123monsite.com 2012.02.23 13:47:05 LOG5[14241:140531800237856]: Configuration successful 2012.02.23 13:47:05 LOG5[14241:140531800237856]: No limit detected for the number of clients 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=3 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=8 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=9 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=10 allocated (blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: accept socket: FD=11 allocated (non-blocking mode) 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Option SO_REUSEADDR set on accept socket 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service https-123monsite.com bound to 88.190.17.222:443 2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service https-123monsite.com opened FD=11 2012.02.23 13:47:05 LOG7[14247:140531800237856]: Created pid file /var/run/stunnel4/stunnel4.pid 2012.02.23 13:47:05 LOG5[14247:140531800237856]: stunnel 4.35 on x86_64-pc-linux-gnu with OpenSSL 1.0.0e 6 Sep 2011 2012.02.23 13:47:05 LOG5[14247:140531800237856]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
On Thu, Feb 23, 2012 at 11:14, Thomas Manson dev.mansonthomas@gmail.comwrote:
root@ns0:/etc/stunnel# service stunnel4 start Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.
Yes !
In fact, my config file was missing the private key :
[mansonthomas.com] cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt accept = 88.190.217.117:443 connect = 127.0.0.1:82
TIMEOUTclose = 0
I've added the key, and now it starts ;)
Thanks for your help !
Regards, Thomas.
On Thu, Feb 23, 2012 at 09:39, Ludolf Holzheid < lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:
[..]
the CRT file is generated by my registrar. If it's in the wrong format, How can I convert it?
[..]
Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt error queue: 140B0009 : error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line [..]
root@ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt -----BEGIN CERTIFICATE----- [..] -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- ..... -----END DH PARAMETERS-----
Thomas,
If there is no "-----BEGIN RSA PRIVATE KEY-----" in mansonthomas.com.crt, then there is no key in.
You should be provided with a file containing the key.
If this is in DER format (*.pfx or *.p12), you'll have to convert it first:
openssl pkcs12 -in <der file> -out <pem file>
HTH,
Ludolf
--
Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany