 
            I'm running stunnel 4.14 on Darwin 7.0.0 (Mac OS X Server 10.4.11), with OpenSSL 0.9.71. I purchased a security certificate from comodo, and was able to get it installed and working (mostly) with stunnel, but when I browse to the website, I get an error that the the browser can't verify the identity of the site, due to a problem w/the security cert. I called comodo, and they the error is caused by stunnel not seeing the intermediate certificate files that they told me need to be installed in order for their certificate to work. These files were: ComodoUTNServerCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt EssentialSSLCA.crt my_server_net.crt I modified stunnel.conf, and included this line: CApath = ca-certs/ (<- dir path, relative to chroot, containing above files) But the error persists. Can anyone tell me if what comodo support is telling me is even correct? I've verified that my .key and .crt files match by running: $ openssl x509 -noout -modulus -in server.crt | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5 And the output of both matches. Not sure what to try next. Any help much appreciated! Thanks in advance...
 
            On Tue, 2008-03-11 22:46:31 -0700, [email protected] wrote:
[..] These files were:
ComodoUTNServerCA.crt [..]
I modified stunnel.conf, and included this line:
CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)
But the error persists.
Hi anonymous questioner, As far as I remember, the certificates have to be in PEM format in order to be used by stunnel. (The '.crt' extension makes me suppose they are in DER format.) You may use openssl to convert from DER to PEM: openssl pkcs12 -in filename.crt -out filename.pem Moreover, the files containing the certificates need to have special file names. The 'c_rehash' utility takes care for that. HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: [email protected] D-68199 Mannheim, Germany ---------------------------------------------------------------
 
            Approximately 2008-03-11 22:46 -0700, [email protected] cajoled:
I purchased a security certificate from comodo, and was able to get it installed and working (mostly) with stunnel, but when I browse to the website, I get an error that the the browser can't verify the identity of the site, due to a problem w/the security cert.
I called comodo, and they the error is caused by stunnel not seeing the intermediate certificate files that they told me need to be installed in order for their certificate to work. These files were:
ComodoUTNServerCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt EssentialSSLCA.crt my_server_net.crt
I modified stunnel.conf, and included this line:
CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)
CAPath is for verifying the certs of others - this is not the configuration directive you're looking for. Concatenate the pems for both your server's key, cert, and all intermediate certs - use that as your stunnel.pem (or whatever you have named it.) This way when your stunnel server sends the client (browser) its cert, it sends both the cert and those other entities in the chain, and the browser should have the full picture of the chain of trust. -- Brian Hatch "I use pico on any Unix that Systems and didn't ship with vi." Security Engineer -- Francois Caen http://www.ifokr.org/bri/ Every message PGP signed
participants (3)
- 
                 Brian Hatch Brian Hatch
- 
                 Ludolf Holzheid Ludolf Holzheid
- 
                 sf.techguy@gmail.com sf.techguy@gmail.com