Hi, I want to use stunnel to enable ssl on port 995. Unfortunately, I got "SSL error: Unable to verify the first certificate." when using the gmail pop3 retrieval My Certificate is signed by wosign and included in the mozialla truststore list. https://www.ssllabs.com/ssltest/analyze.html gives me a grad A for my apache configuration and chrome and firefox are also fine with this certificate. So it's no self signed one.

For a test I have configured stunnel to serve https. I get than the message that the chain is incomplete. According to https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm this could be one reason for this error.

My Apache-config looks like this SSLCertificateFile /etc/apache2/ssl/mydomain.crt SSLCertificateKeyFile /etc/apache2/ssl//mydomain.key SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem

for stunnel I used

cert = /etc/apache2/ssl/mydomain.crt key = /etc/apache2/ssl//mydomain.key CAfile = /etc/apache2/ssl/1_root_bundle.crt or ca-certs.pem (I have tried both).

What is the a similar configuration in stunnel?

The Post https://www.stunnel.org/pipermail/stunnel-users/2010-February/002594.html mentioned, that the chain must be completely in the crt-file. But a description how to achieve this is missing and I found no other resources describing this.

Thanks a lot Tobias