[stunnel-users] Gmail POP3 retrieval, SSL-Error and Cert Chain
Tobias Ruch
macruch at hotmail.com
Tue Feb 24 08:38:19 CET 2015
Hi,
I want to use stunnel to enable ssl on port 995.
Unfortunately, I got "SSL error: Unable to verify the first
certificate." when using the gmail pop3 retrieval
My Certificate is signed by wosign and included in the mozialla
truststore list.
https://www.ssllabs.com/ssltest/analyze.html gives me a grad A for my
apache configuration and chrome and firefox are also fine with this
certificate. So it's no self signed one.
For a test I have configured stunnel to serve https. I get than the
message that the chain is incomplete.
According to
https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm this
could be one reason for this error.
My Apache-config looks like this
SSLCertificateFile /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl//mydomain.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
for stunnel I used
cert = /etc/apache2/ssl/mydomain.crt
key = /etc/apache2/ssl//mydomain.key
CAfile = /etc/apache2/ssl/1_root_bundle.crt or ca-certs.pem (I have
tried both).
What is the a similar configuration in stunnel?
The Post
https://www.stunnel.org/pipermail/stunnel-users/2010-February/002594.html mentioned,
that the chain must be completely in the crt-file.
But a description how to achieve this is missing and I found no other
resources describing this.
Thanks a lot
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150224/fd9e47be/attachment.html>
More information about the stunnel-users
mailing list