[stunnel-users] Cert Chain Question

Craig Kelley ink at inconnu.islug.org
Wed Feb 17 18:28:03 CET 2010

I've been attempting to include an intermediate chain for my stunnel 
setup.  First, I previously used an entrust-signed certificate with 
stunnel just fine, but now I've purchased one from godaddy ($190 for 3 
certs for 5 years!).  The only problem is that the server has multiple 
certificates to install.  Under Apache, I solved it with this:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt

Which works just fine.  With stunnel I attempted this configuration:

cert = /etc/stunnel/server.crt
key =  /etc/stunnel/server.key
CAfile = /etc/stunnel/godaddy.crt

All those files are identical to the Apache configuration.  Stunnel 
starts up, but clients loudly complain that the certificate is not valid. 
If I examine the certificate in Thunderbird (I use stunnel for IMAPS and 
POP3S), it correctly identifies the cert as being from GoDaddy and that it 
will expire in 2015.  But for some reason, the chain to its root server is 

What am I doing wrong?

Craig Kelley
http://inconnu.islug.org/~ink finger same server for PGP block

More information about the stunnel-users mailing list