>:) Been beating my head against the wall for a few days now… Hoping someone has set this up or at least set up one or the other and can spot any errors I’m making. For anyone not familiar with stunnel, it’s a universal SSL wrapper that secures just about any network protocol including HTTP, POP, SMTP, LDAP and even other protocols not listed.
Configure Stunnel configured with a self-signed certificate on OpenSuSE 11 (32-bit).
Essential modules installed from OpenSuSE11 repos
Creating the Self-signed certificate.
I’ve been having problems with just OpenSSL so am trying to implement TinyCA2 as a GUI application to apply a little order to setup and management. Using TinyCA2, have created the first CA during the standard initial setup. Have also created a Server CSR and signed the request, creating a VALID certificate. At least, it has VALID status within TinyCA2, because I can’t seem to verify using any other tool (OpenSSL tools return a Level 0 error which translates as cannot verify top level authentication but maybe I’m not running the tool right).
Installation creates the /etc/stunnel/ directory which in particular holds the very important stunnel.conf file. A parameter in the stunnel.conf file points to /etc/stunnel.pem as the certificate to be used for encryption.
Configuring Stunnel with the certificate.
Applying typical instructions I’ve read for using TinyCA2 certificates for Apache websites, I copied the Server certificate created by TinyCA2 to the specified location and renamed it /etc/stunnel/stunnel.pem.
The last step is to try to start the stunnel service.
In case the service was already running,
At this point an error is displayed and a more verbose error is written to /var/log/rc.stunnel.log
The logfile error reads
2008.12.17 20:02:45 LOG3[15993:3083553520]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file: PEM lib
2008.12.17 20:02:45 LOG3[15993:3083553520]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C: PEM routines: PEM_read_bio:no start line
Googling suggests that this error probably means that the certificate file isn’t readable or in the wrong format (Well, it was originally created as a PEM file by TinyCA. I only changed the original filename but not the file extension). Also, supposedly stunnel expects the PEM file format.
BTW - Also, I’ve installed Webmin on this machine which creates its own self-signed certificate for its own website. I’ve also tried exporting the certificate using Firefox (when browsing the website) and saving/renaming the certificate to the specified location but without any diff.
Hoping anyone who has set up either TinyCA or stunnel before can spot any mis-steps I’ve made or suggest anything helpful