I've another issue, it's quite close to be fully working.<br><br><br>I've the base.conf and mansonthomas.com.conf and extranet.oneothersite.com.conf<br><br>when all 3 config file are activated (ie ends with .conf), then I only see <br>
<ul><li>base.conf (<a href="http://123monsite.com">123monsite.com</a> in the logs)<br></li><li>extranet.othersite.conf running, <br><br></li><li>mansonthomas.conf seems to be skipped</li></ul><br>Couples of questions (before detailed config/output etc...) : <br>
<ul><li>Is there something particular to do in the config file to have multiple domain running with stunnel ? <br></li><li>How can I set debug/pid file on other domain ?<br><br> I've tryed to put debug & output config properties inside <a href="http://mansonthomas.com">mansonthomas.com</a> and <a href="http://extranet.othersite.com">extranet.othersite.com</a>, but with I start it says it's not allowed here. (i've putted it after the [<a href="http://mansonthomas.com">mansonthomas.com</a>] line)</li>
</ul><p><br></p><p>find below all the details!<br></p><p><br></p>Regards,<br>Thomas.<br><br><br><br>If I disable <a href="http://extranet.oneothersite.com">extranet.oneothersite.com</a> (move extranet.oneothersite.com.conf to extranet.oneothersite.com.conf_)<br>
and start stunnel I see : <br><br>root@ns0:/etc/stunnel# service stunnel4 start<br>Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.<br><br>ps excerpt : <br><br>
<font size="1"><span style="font-family:courier new,monospace"> 1 12950 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> 1 12951 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> 1 12952 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> 1 12953 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> 1 12954 12925 1305 pts/0 12956 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace"> 1 12955 12955 12955 ? -1 Ss 0 0:00 /usr/bin/stunnel4 /etc/stunnel/mansonthomas.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/</span></font><br>
<br>And I can successfully connect with HTTPS on <a href="https://mansonthomas.com">https://mansonthomas.com</a> with no SSL error ! (youpi ! ;))<br><br><br>If I enable extranet.oneothersite.com.conf configuration by renaming extranet.oneothersite.com.conf_ to extranet.oneothersite.com.conf<br>
<br>and I stop and start here is what I get : <br><br><br>root@ns0:/etc/stunnel# service stunnel4 start<br>Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/extranet.othersite.com.conf] [<span style="background-color:rgb(255,255,0)">Already running: /etc/stunnel/mansonthomas.com.conf</span>] stunnel.<br>
<br><span style="background-color:rgb(255,255,0)">while it's not running.</span> the previous service stunnel4 stop kill all the process, no one left in memory.<br><br>a ps output after restart : <br><font style="font-family:courier new,monospace" size="1"><br>
1 12377 12377 12377 ? -1 Ss 110 0:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid TERM=screen-bce PATH=/sbin:/usr/sbin:/bin:/usr/bin LANG=en_US.UTF-8 PWD=/<br> 1 14055 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14056 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14057 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14058 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14059 14044 1305 pts/0 14085 S 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14060 14060 14060 ? -1 Ss 109 0:00 /usr/bin/stunnel4 /etc/stunnel/base.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 PWD=/<br>
1 14069 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P<br>
1 14070 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P<br>
1 14071 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P<br>
1 14072 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P<br>
1 14073 14044 1305 pts/0 14085 S 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P<br>
1 14074 14074 14074 ? -1 Ss 0 0:00 /usr/bin/stunnel4 /etc/stunnel/extranet.othersite.com.conf TERM=screen-bce PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 P</font><br style="font-family:courier new,monospace">
<font style="color:rgb(0,0,0)" size="2"><br></font><font style="color:rgb(0,0,0);background-color:rgb(255,255,0)" size="2">can't see <a href="http://mansonthomas.com">mansonthomas.com</a></font><br>And if I try to reach <a href="https://mansonthomas.com">https://mansonthomas.com</a> it fails.<br>
<br><br>here is my current configuration :<br><br><br><font style="font-family:courier new,monospace" size="1">root@ns0:/etc/stunnel# cat <b><font size="4">base.conf</font></b><br></font><font style="font-family:courier new,monospace" size="1">============================================================================</font><br>
<font style="font-family:courier new,monospace" size="1">debug = 7<br><br><br>sslVersion = SSLv3<br>cert=/etc/stunnel/sites/<a href="http://123monsite.com/123monsite.com.crt">123monsite.com/123monsite.com.crt</a><br>key=/etc/stunnel/sites/<a href="http://123monsite.com/123monsite.com.key">123monsite.com/123monsite.com.key</a><br>
<br><br>; security enhancements for UNIX systems<br>; for chroot a copy of some devices and files is needed within the jail<br>;chroot = /var/lib/stunnel4/<br>setuid = stunnel4<br>setgid = stunnel4<br>; PID is created inside the chroot jail<br>
pid = /var/run/stunnel4/stunnel4.pid<br><br><br>socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1<br>output = /var/log/stunnel4/stunnel.log<br><br>[<a href="http://https-123monsite.com">https-123monsite.com</a>]<br>accept=<a href="http://88.190.17.222:443">88.190.17.222:443</a><br>
connect=<a href="http://127.0.0.1:82">127.0.0.1:82</a><br>root@ns0:/etc/stunnel#<br>============================================================================<br><br><br>root@ns0:/etc/stunnel# cat<font size="4"><b> mansonthomas.com.conf</b></font><br>
</font><font style="font-family:courier new,monospace" size="1">============================================================================</font><br><font style="font-family:courier new,monospace" size="1">[<a href="http://mansonthomas.com">mansonthomas.com</a>]<br>
key = /etc/stunnel/sites/<a href="http://mansonthomas.com/mansonthomas.com.key">mansonthomas.com/mansonthomas.com.key</a><br>cert = /etc/stunnel/sites/<a href="http://mansonthomas.com/mansonthomas.com.crt">mansonthomas.com/mansonthomas.com.crt</a><br>
accept = <a href="http://88.190.217.117:443">88.190.217.117:443</a><br>connect = <a href="http://127.0.0.1:82">127.0.0.1:82</a><br><br>sslVersion = SSLv3<br>TIMEOUTclose = 0<br></font><font style="font-family:courier new,monospace" size="1">============================================================================</font><br>
<font style="font-family:courier new,monospace" size="1">root@ns0:/etc/stunnel#<br><br><br><br>root@ns0:/etc/stunnel# cat <b><font size="4">extranet.othersite.com.conf</font></b><br></font><font style="font-family:courier new,monospace" size="1">============================================================================</font><br>
<font style="font-family:courier new,monospace" size="1">[<a href="http://extranet.othersite.com">extranet.othersite.com</a>]<br>key = /etc/stunnel/sites/<a href="http://extranet.othersite.com/extranet.othersite.com.key">extranet.othersite.com/extranet.othersite.com.key</a><br>
cert = /etc/stunnel/sites/<a href="http://extranet.othersite.com/extranet.othersite.com.crt">extranet.othersite.com/extranet.othersite.com.crt</a><br>accept = <a href="http://88.190.100.100:443">88.190.100.100:443</a><br>
connect = <a href="http://127.0.0.1:82">127.0.0.1:82</a><br><br>sslVersion = SSLv3<br>TIMEOUTclose = 0<br></font><font style="font-family:courier new,monospace" size="1">============================================================================</font><br>
<font style="font-family:courier new,monospace" size="1">root@ns0:/etc/stunnel#<br><br><br><br>here is the log file :<br><br><br>root@ns0:/var/log/stunnel4# cat stunnel.log<br>2012.02.23 13:47:05 LOG5[14241:140531800237856]: Reading configuration from file /etc/stunnel/base.conf<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Snagged 64 random bytes from /dev/urandom<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: PRNG seeded successfully<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: Using DH parameters from /etc/stunnel/sites/<a href="http://123monsite.com/123monsite.com.crt">123monsite.com/123monsite.com.crt</a><br>
2012.02.23 13:47:05 LOG6[14241:140531800237856]: DH initialized with 2048 bit key<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: ECDH initialized<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate: /etc/stunnel/sites/<a href="http://123monsite.com/123monsite.com.crt">123monsite.com/123monsite.com.crt</a><br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Certificate loaded<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: Key file: /etc/stunnel/sites/<a href="http://123monsite.com/123monsite.com.key">123monsite.com/123monsite.com.key</a><br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Private key loaded<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: SSL context initialized for service <a href="http://https-123monsite.com">https-123monsite.com</a><br>
2012.02.23 13:47:05 LOG5[14241:140531800237856]: Configuration successful<br>2012.02.23 13:47:05 LOG5[14241:140531800237856]: No limit detected for the number of clients<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=3 allocated (blocking mode)<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=4 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode)<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=5 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=6 allocated (blocking mode)<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=7 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: libwrap_init: FD=8 allocated (blocking mode)<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=9 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: signal_pipe: FD=10 allocated (blocking mode)<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: accept socket: FD=11 allocated (non-blocking mode)<br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Option SO_REUSEADDR set on accept socket<br>2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service <a href="http://https-123monsite.com">https-123monsite.com</a> bound to <a href="http://88.190.17.222:443">88.190.17.222:443</a><br>
2012.02.23 13:47:05 LOG7[14241:140531800237856]: Service <a href="http://https-123monsite.com">https-123monsite.com</a> opened FD=11<br>2012.02.23 13:47:05 LOG7[14247:140531800237856]: Created pid file /var/run/stunnel4/stunnel4.pid<br>
2012.02.23 13:47:05 LOG5[14247:140531800237856]: stunnel 4.35 on x86_64-pc-linux-gnu with OpenSSL 1.0.0e 6 Sep 2011<br>2012.02.23 13:47:05 LOG5[14247:140531800237856]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP<br>
<br><br><br></font><br><br><br><br><br><div class="gmail_quote">On Thu, Feb 23, 2012 at 11:14, Thomas Manson <span dir="ltr"><<a href="mailto:dev.mansonthomas@gmail.com">dev.mansonthomas@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">root@ns0:/etc/stunnel# service stunnel4 start<br>Starting SSL tunnels: [Started: /etc/stunnel/base.conf] [Started: /etc/stunnel/mansonthomas.com.conf] stunnel.<br>
<br><br>Yes !<br><br>In fact, my config file was missing the private key : <br><div class="im">
<br><span style="font-family:courier new,monospace">[<a href="http://mansonthomas.com/" target="_blank">mansonthomas.com</a>]</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace">cert = /etc/stunnel/sites/<a href="http://mansonthomas.com/mansonthomas.com.crt" target="_blank">mansonthomas.com/mansonthomas.com.crt</a></span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace">accept = <a href="http://88.190.217.117:443/" target="_blank">88.190.217.117:443</a></span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">connect = <a href="http://127.0.0.1:82/" target="_blank">127.0.0.1:82</a></span><br style="font-family:courier new,monospace">
<br style="font-family:courier new,monospace"></div><span style="font-family:courier new,monospace">TIMEOUTclose = 0<br><br>I've added the key, and now it starts ;)<br><br>Thanks for your help !<br><br>Regards,<br>Thomas.<br>
</span><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote">On Thu, Feb 23, 2012 at 09:39, Ludolf Holzheid <span dir="ltr"><<a href="mailto:lholzheid@bihl-wiedemann.de" target="_blank">lholzheid@bihl-wiedemann.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, 2012-02-22 23:38:53 +0000, Thomas Manson wrote:<br>
> [..]<br>
<div>><br>
> the CRT file is generated by my registrar. If it's in the wrong format,<br>
> How can I convert it?<br>
><br>
</div>> [..]<br>
<div>><br>
> Key file: /etc/stunnel/sites/<a href="http://mansonthomas.com/mansonthomas.com.crt" target="_blank">mansonthomas.com/mansonthomas.com.crt</a><br>
> error queue: 140B0009 : error:140B0009:SSL<br>
> routines:SSL_CTX_use_PrivateKey_file:PEM lib<br>
> SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM<br>
> routines:PEM_read_bio:no start line<br>
</div>> [..]<br>
<div>><br>
> root@ns0:/etc/stunnel/sites/<a href="http://mansonthomas.com#" target="_blank">mansonthomas.com#</a> cat mansonthomas.com.crt<br>
> -----BEGIN CERTIFICATE-----<br>
</div>> [..]<br>
<div>> -----END CERTIFICATE-----<br>
> -----BEGIN DH PARAMETERS-----<br>
> .....<br>
> -----END DH PARAMETERS-----<br>
<br>
</div>Thomas,<br>
<br>
If there is no "-----BEGIN RSA PRIVATE KEY-----" in<br>
mansonthomas.com.crt, then there is no key in.<br>
<br>
You should be provided with a file containing the key.<br>
<br>
If this is in DER format (*.pfx or *.p12), you'll have to convert it<br>
first:<br>
<br>
openssl pkcs12 -in <der file> -out <pem file><br>
<br>
HTH,<br>
<br>
Ludolf<br>
<span><font color="#888888"><br>
--<br>
<br>
---------------------------------------------------------------<br>
Ludolf Holzheid Tel: <a href="tel:%2B49%20621%20339960" value="+49621339960" target="_blank">+49 621 339960</a><br>
Bihl+Wiedemann GmbH Fax: <a href="tel:%2B49%20621%203392239" value="+496213392239" target="_blank">+49 621 3392239</a><br>
Floßwörthstraße 41 e-mail: <a href="mailto:lholzheid@bihl-wiedemann.de" target="_blank">lholzheid@bihl-wiedemann.de</a><br>
D-68199 Mannheim, Germany<br>
---------------------------------------------------------------<br>
</font></span></blockquote></div><br>
</div></div></blockquote></div><br>