[stunnel-users] stunnel not seeing ca bundle files

Brian Hatch bri at stunnel.org
Wed Mar 12 15:10:42 CET 2008

Approximately 2008-03-11 22:46 -0700, sf.techguy at gmail.com cajoled:

> I purchased a security certificate from comodo, and was able to get it
> installed and working (mostly) with stunnel, but when I browse to the
> website, I get an error that the the browser can't verify the identity of
> the site, due to a problem w/the security cert.
> I called comodo, and they the error is caused by stunnel not seeing the
> intermediate certificate files that they told me need to be installed in
> order for their certificate to work. These files were:
> ComodoUTNServerCA.crt
> UTNAddTrustServerCA.crt
> AddTrustExternalCARoot.crt
> EssentialSSLCA.crt
> my_server_net.crt
> I modified stunnel.conf, and included this line:
> CApath = ca-certs/ (<- dir path, relative to chroot, containing above files)

CAPath is for verifying the certs of others - this is not the
configuration directive you're looking for.

Concatenate the pems for both your server's key, cert, and all
intermediate certs - use that as your stunnel.pem (or whatever you
have named it.)  This way when your stunnel server sends the client
(browser) its cert, it sends both the cert and those other entities
in the chain, and the browser should have the full picture of the
chain of trust.

Brian Hatch                  "I use pico on any Unix that
   Systems and                didn't ship with vi."
   Security Engineer         -- Francois Caen

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080312/3de80ae7/attachment.sig>

More information about the stunnel-users mailing list