Hi Jose,

 

I have exported the certificate from AVG and appended it to my ca-certs.pem using a text editor. To make it easier to read I included a line break before the appended text thus:

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

 

I’m testing with my Zen connection for convenience:

 

[zen-pop3]

client = yes

accept = 127.0.0.1:26110

connect = mailhost.zen.co.uk:995           

CAfile = ca-certs.pem

verifyChain = yes

checkHost = mailhost.zen.co.uk

OCSPaia = yes

 

It succeeds.  The log shows:

 

2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] accepted connection from 127.0.0.1:63471

2026.05.31 20:39:42 LOG5[2]: s_connect: connected 212.23.1.11:995

2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] connected remote server from 127.0.0.1:63472

2026.05.31 20:39:42 LOG5[2]: Certificate accepted at depth=0: CN=*.zen.co.uk

2026.05.31 20:39:42 LOG5[2]: Connection closed: 71 byte(s) sent to TLS, 6771 byte(s) sent to socket

 

Thank you so much for your help.

 

Regards,

== Graham



 

From: Jose Alf. [mailto:josealf@rocketmail.com]
Sent: 31 May 2026 17:53
To: stunnel-users@lists.stunnel.org; graham@lorien56.co.uk
Subject: Re: [stunnel-users] Certificate rejected ...?

 

Hi Graham,

 

The issue you have is due to your locally installed AVG Security product. In order to do a security scan/review of your encrypted connections (web, SMTP, IMAP),  AVG works as a man-in-the-middle and is intercepting the connection that Stunnel is trying to do to mail.lopham.co.uk and presenting a certificate signed by a local CA that is unknown to Stunnel. I understand that you can configure AVG to disable this TLS scanning/interception, but most likely you want to keep it enabled and to avoid the failure in Stunnel you must add the local AVG CA root certificate to the file ca-certs.pem, You need to export the cert in PEM format and append it to your ca-certs.pem with a text editor.

 

See:

https://support.avg.com/SupportArticleView?l=en&urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert

 

Hope this helps. 

 

 

Regards,

Jose A. Diaz

 

 

On Sunday, May 31, 2026 at 01:26:29 AM GMT-5, Graham Jones via stunnel-users <stunnel-users@lists.stunnel.org> wrote:

 

 

I'm new to Stunnel.

 

stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro.

 

During installation, the process walked me through the creation of a

certificate.

 

I have these settings:

 

[Lopham-imap]

client = yes

accept = 127.0.0.1:52143

connect = mail.lopham.co.uk:993

CAfile = ca-certs.pem

 

The connection succeeds.

 

I add the following lines:

 

verifyChain = yes

checkHost = mail.lopham.co.uk

OCSPaia = yes

 

The connection fails with the following lines in the log:

 

2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from

127.0.0.1:51901

2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993

2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server

from 127.0.0.1:51902

2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not

found in local repository: self-signed certificate in certificate chain

2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by

AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail

Shield Root

2026.05.30 21:45:52 LOG3[2]: SSL_connect:

tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124:

error:0A000086:SSL routines::certificate verify failed: client

127.0.0.1:51901

2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS,

0 byte(s) sent to socket

 

I see it finds the self-signed certificate in certificate chain.  Why is

this rejected?

 

Any ideas, please?

 

Regards,

 

== Graham

 

 

 

 

_______________________________________________

stunnel-users mailing list -- stunnel-users@lists.stunnel.org

To unsubscribe send an email to stunnel-users-leave@lists.stunnel.org