[stunnel-users] Cert Chain Question

Jeremie Le Hen jeremie at le-hen.org
Thu Feb 18 11:36:14 CET 2010

Hi Craig,

On Wed, Feb 17, 2010 at 10:28:03AM -0700, Craig Kelley wrote:
> I've been attempting to include an intermediate chain for my stunnel 
> setup.  First, I previously used an entrust-signed certificate with 
> stunnel just fine, but now I've purchased one from godaddy ($190 for 3 
> certs for 5 years!).  The only problem is that the server has multiple 
> certificates to install.  Under Apache, I solved it with this:
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
> Which works just fine.  With stunnel I attempted this configuration:
> cert = /etc/stunnel/server.crt
> key =  /etc/stunnel/server.key
> CAfile = /etc/stunnel/godaddy.crt
> All those files are identical to the Apache configuration.  Stunnel 
> starts up, but clients loudly complain that the certificate is not valid. 
> If I examine the certificate in Thunderbird (I use stunnel for IMAPS and 
> POP3S), it correctly identifies the cert as being from GoDaddy and that it 
> will expire in 2015.  But for some reason, the chain to its root server is 
> broken.
> What am I doing wrong?

The way it works in stunnel is that your godaddy.crt should contain the
certificate chain up to the self-signed root CA.

Jeremie Le Hen

Humans are born free and equal.  But some are more equal than the others.

More information about the stunnel-users mailing list