[stunnel-users] Gmail POP3 retrieval, SSL-Error and Cert Chain

Tobias Ruch macruch at hotmail.com
Tue Feb 24 08:38:19 CET 2015

I want to use stunnel to enable ssl on port 995.
Unfortunately, I got "SSL error: Unable to verify the first 
certificate." when using the gmail pop3 retrieval
My Certificate is signed by wosign and included in the mozialla 
truststore list.
https://www.ssllabs.com/ssltest/analyze.html gives me a grad A for my 
apache configuration and chrome and firefox are also fine with this 
certificate. So it's no self signed one.

For a test I have configured stunnel to serve https. I get than the 
message that the chain is incomplete.
According to 
https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm this 
could be one reason for this error.

My Apache-config looks like this
SSLCertificateFile    /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl//mydomain.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem

for stunnel I used

cert = /etc/apache2/ssl/mydomain.crt
key = /etc/apache2/ssl//mydomain.key
CAfile = /etc/apache2/ssl/1_root_bundle.crt or ca-certs.pem (I have 
tried both).

What is the a similar configuration in stunnel?

The Post 
https://www.stunnel.org/pipermail/stunnel-users/2010-February/002594.html mentioned, 
that the chain must be completely in the crt-file.
But a description how to achieve this is missing and I found no other 
resources describing this.

Thanks a lot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150224/fd9e47be/attachment.html>

More information about the stunnel-users mailing list