[stunnel-users] Cert Chain Question

• Previous message (by thread): [stunnel-users] Cert Chain Question
• Next message (by thread): [stunnel-users] Cert Chain Question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Craig,

On Wed, Feb 17, 2010 at 10:28:03AM -0700, Craig Kelley wrote:
> 
> I've been attempting to include an intermediate chain for my stunnel 
> setup.  First, I previously used an entrust-signed certificate with 
> stunnel just fine, but now I've purchased one from godaddy ($190 for 3 
> certs for 5 years!).  The only problem is that the server has multiple 
> certificates to install.  Under Apache, I solved it with this:
> 
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
> 
> Which works just fine.  With stunnel I attempted this configuration:
> 
> cert = /etc/stunnel/server.crt
> key =  /etc/stunnel/server.key
> CAfile = /etc/stunnel/godaddy.crt
> 
> All those files are identical to the Apache configuration.  Stunnel 
> starts up, but clients loudly complain that the certificate is not valid. 
> If I examine the certificate in Thunderbird (I use stunnel for IMAPS and 
> POP3S), it correctly identifies the cert as being from GoDaddy and that it 
> will expire in 2015.  But for some reason, the chain to its root server is 
> broken.
> 
> What am I doing wrong?

The way it works in stunnel is that your godaddy.crt should contain the
certificate chain up to the self-signed root CA.

Regards,
-- 
Jeremie Le Hen

Humans are born free and equal.  But some are more equal than the others.
					    Coluche

• Previous message (by thread): [stunnel-users] Cert Chain Question
• Next message (by thread): [stunnel-users] Cert Chain Question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]