[stunnel-users] Cert Chain Question
Craig Kelley
ink at inconnu.islug.org
Wed Feb 17 18:28:03 CET 2010
I've been attempting to include an intermediate chain for my stunnel
setup. First, I previously used an entrust-signed certificate with
stunnel just fine, but now I've purchased one from godaddy ($190 for 3
certs for 5 years!). The only problem is that the server has multiple
certificates to install. Under Apache, I solved it with this:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
Which works just fine. With stunnel I attempted this configuration:
cert = /etc/stunnel/server.crt
key = /etc/stunnel/server.key
CAfile = /etc/stunnel/godaddy.crt
All those files are identical to the Apache configuration. Stunnel
starts up, but clients loudly complain that the certificate is not valid.
If I examine the certificate in Thunderbird (I use stunnel for IMAPS and
POP3S), it correctly identifies the cert as being from GoDaddy and that it
will expire in 2015. But for some reason, the chain to its root server is
broken.
What am I doing wrong?
--
Craig Kelley
http://inconnu.islug.org/~ink finger same server for PGP block
More information about the stunnel-users
mailing list