[stunnel-users] Multiple Domains for https
Thomas Manson
dev.mansonthomas at gmail.com
Thu Feb 23 13:59:13 CET 2012
I've another issue, it's quite close to be fully working.
I've the base.conf and mansonthomas.com.conf and
extranet.oneothersite.com.conf
when all 3 config file are activated (ie ends with .conf), then I only see
- base.conf (123monsite.com in the logs)
- extranet.othersite.conf running,
- mansonthomas.conf seems to be skipped
Couples of questions (before detailed config/output etc...) :
- Is there something particular to do in the config file to have
multiple domain running with stunnel ?
- How can I set debug/pid file on other domain ?
I've tryed to put debug & output config properties inside
mansonthomas.com and extranet.othersite.com, but with I start it says
it's not allowed here. (i've putted it after the [mansonthomas.com] line)
find below all the details!
Regards,
Thomas.
If I disable extranet.oneothersite.com (move
extranet.oneothersite.com.conf to extranet.oneothersite.com.conf_)
and start stunnel I see :
root at ns0:/etc/stunnel# service stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started:
/etc/stunnel/mansonthomas.com.conf] stunnel.
ps excerpt :
1 12950 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 12951 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 12952 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 12953 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 12954 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 12955 12955 12955 ? -1 Ss 0 0:00 /usr/bin/stunnel4
/etc/stunnel/mansonthomas.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
And I can successfully connect with HTTPS on https://mansonthomas.com with
no SSL error ! (youpi ! ;))
If I enable extranet.oneothersite.com.conf configuration by renaming
extranet.oneothersite.com.conf_ to extranet.oneothersite.com.conf
and I stop and start here is what I get :
root at ns0:/etc/stunnel# service stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started:
/etc/stunnel/extranet.othersite.com.conf] [Already running:
/etc/stunnel/mansonthomas.com.conf] stunnel.
while it's not running. the previous service stunnel4 stop kill all the
process, no one left in memory.
a ps output after restart :
1 12377 12377 12377 ? -1 Ss 110 0:00 /usr/sbin/haproxy
-f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid TERM=screen-bce
PATH=/sbin:/usr/sbin:/bin:/usr/bin LANG=en_US.UTF-8 PWD=/
1 14055 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14056 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14057 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14058 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14059 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14060 14060 14060 ? -1 Ss 109 0:00 /usr/bin/stunnel4
/etc/stunnel/base.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 PWD=/
1 14069 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
1 14070 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
1 14071 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
1 14072 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
1 14073 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
1 14074 14074 14074 ? -1 Ss 0 0:00 /usr/bin/stunnel4
/etc/stunnel/extranet.othersite.com.conf TERM=screen-bce
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_US.UTF-8 P
can't see mansonthomas.com
And if I try to reach https://mansonthomas.com it fails.
here is my current configuration :
root at ns0:/etc/stunnel# cat *base.conf*
============================================================================
debug = 7
sslVersion = SSLv3
cert=/etc/stunnel/sites/123monsite.com/123monsite.com.crt
key=/etc/stunnel/sites/123monsite.com/123monsite.com.key
; security enhancements for UNIX systems
; for chroot a copy of some devices and files is needed within the jail
;chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel4/stunnel.log
[https-123monsite.com]
accept=88.190.17.222:443
connect=127.0.0.1:82
root at ns0:/etc/stunnel#
============================================================================
root at ns0:/etc/stunnel# cat* mansonthomas.com.conf*
============================================================================
[mansonthomas.com]
key = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.key
cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
accept = 88.190.217.117:443
connect = 127.0.0.1:82
sslVersion = SSLv3
TIMEOUTclose = 0
============================================================================
root at ns0:/etc/stunnel#
root at ns0:/etc/stunnel# cat *extranet.othersite.com.conf*
============================================================================
[extranet.othersite.com]
key = /etc/stunnel/sites/
extranet.othersite.com/extranet.othersite.com.key
cert = /etc/stunnel/sites/
extranet.othersite.com/extranet.othersite.com.crt
accept = 88.190.100.100:443
connect = 127.0.0.1:82
sslVersion = SSLv3
TIMEOUTclose = 0
============================================================================
root at ns0:/etc/stunnel#
here is the log file :
root at ns0:/var/log/stunnel4# cat stunnel.log
2012.02.23 13:47:05 LOG5[14241:140531800237856]: Reading configuration from
file /etc/stunnel/base.conf
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Snagged 64 random bytes
from /dev/urandom
2012.02.23 13:47:05 LOG7[14241:140531800237856]: PRNG seeded successfully
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Using DH parameters from
/etc/stunnel/sites/123monsite.com/123monsite.com.crt
2012.02.23 13:47:05 LOG6[14241:140531800237856]: DH initialized with 2048
bit key
2012.02.23 13:47:05 LOG7[14241:140531800237856]: ECDH initialized
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate:
/etc/stunnel/sites/123monsite.com/123monsite.com.crt
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate loaded
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Key file:
/etc/stunnel/sites/123monsite.com/123monsite.com.key
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Private key loaded
2012.02.23 13:47:05 LOG7[14241:140531800237856]: SSL context initialized
for service https-123monsite.com
2012.02.23 13:47:05 LOG5[14241:140531800237856]: Configuration successful
2012.02.23 13:47:05 LOG5[14241:140531800237856]: No limit detected for the
number of clients
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=3
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=8
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=9
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=10
allocated (blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: accept socket: FD=11
allocated (non-blocking mode)
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Option SO_REUSEADDR set on
accept socket
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service
https-123monsite.com bound to 88.190.17.222:443
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service
https-123monsite.com opened FD=11
2012.02.23 13:47:05 LOG7[14247:140531800237856]: Created pid file
/var/run/stunnel4/stunnel4.pid
2012.02.23 13:47:05 LOG5[14247:140531800237856]: stunnel 4.35 on
x86_64-pc-linux-gnu with OpenSSL 1.0.0e 6 Sep 2011
2012.02.23 13:47:05 LOG5[14247:140531800237856]: Threading:PTHREAD
SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
On Thu, Feb 23, 2012 at 11:14, Thomas Manson <dev.mansonthomas at gmail.com>wrote:
> root at ns0:/etc/stunnel# service stunnel4 start
> Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started:
> /etc/stunnel/mansonthomas.com.conf] stunnel.
>
>
> Yes !
>
> In fact, my config file was missing the private key :
>
> [mansonthomas.com]
> cert = /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
> accept = 88.190.217.117:443
> connect = 127.0.0.1:82
>
> TIMEOUTclose = 0
>
> I've added the key, and now it starts ;)
>
> Thanks for your help !
>
> Regards,
> Thomas.
>
> On Thu, Feb 23, 2012 at 09:39, Ludolf Holzheid <
> lholzheid at bihl-wiedemann.de> wrote:
>
>> On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:
>> > [..]
>> >
>> > the CRT file is generated by my registrar. If it's in the wrong format,
>> > How can I convert it?
>> >
>> > [..]
>> >
>> > Key file: /etc/stunnel/sites/mansonthomas.com/mansonthomas.com.crt
>> > error queue: 140B0009 : error:140B0009:SSL
>> > routines:SSL_CTX_use_PrivateKey_file:PEM lib
>> > SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM
>> > routines:PEM_read_bio:no start line
>> > [..]
>> >
>> > root at ns0:/etc/stunnel/sites/mansonthomas.com# cat mansonthomas.com.crt
>> > -----BEGIN CERTIFICATE-----
>> > [..]
>> > -----END CERTIFICATE-----
>> > -----BEGIN DH PARAMETERS-----
>> > .....
>> > -----END DH PARAMETERS-----
>>
>> Thomas,
>>
>> If there is no "-----BEGIN RSA PRIVATE KEY-----" in
>> mansonthomas.com.crt, then there is no key in.
>>
>> You should be provided with a file containing the key.
>>
>> If this is in DER format (*.pfx or *.p12), you'll have to convert it
>> first:
>>
>> openssl pkcs12 -in <der file> -out <pem file>
>>
>> HTH,
>>
>> Ludolf
>>
>> --
>>
>> ---------------------------------------------------------------
>> Ludolf Holzheid Tel: +49 621 339960
>> Bihl+Wiedemann GmbH Fax: +49 621 3392239
>> Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de
>> D-68199 Mannheim, Germany
>> ---------------------------------------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120223/f8b3baf4/attachment.html>
More information about the stunnel-users
mailing list