stunnel +SSL certificate unable to get local issuer certificate

fperal · April 19, 2021, 12:20am

Hi.

I was using stunnel with a self-signed certificate.
Recently a update of stunnel forbids self-signed certificates, so I bought a valid certificate from namecheap, to use it with apache an stunnel.

I have set in stunnel.conf


cert = /pathtomycertificate.crt 
key =  /[FONT=monospace]pathtomycertificate.key
[/FONT]

And Tested from a remote machine with fetchmail to get mail using POP3S.
It gets it but with a warning


[FONT=monospace]unable to get local issuer certificate
fetchmail: Broken certification chain at: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 
fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about.  For details, please see the 
README.SSL-SERVER document that ships with fetchmail. 
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. Fo
r details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
unable to verify the first certificate 
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)

[/FONT]
I have run c_rehash but id did not work.
As fethmail returns the fingerprint of the server, I have added a sslfingerprint option in .fetchmailrc and it stops complaining, so I can use it, but i would like to know what is going wrong. Do I need to add some certificate to /etc/ssl/certs in the client?

best regards

nrickert · April 19, 2021, 1:55am

I think it works if you put the key in “/usr/share/pki/trust/anchors” and then, as root, run “update-ca-certificates”.

arvidjaar · April 19, 2021, 7:12am

Which key are you talking about?

fperal:

unable to get local issuer certificate
fetchmail: Broken certification chain at: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 
fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s)

Quoting stunnel documentation

The file should contain t**he whole certificate chain **starting from the actual server/client certificate, and ending with the ... **root CA certificate**.

Client certificates are normally signed with intermediate certificates which are refreshed rather frequently. To verify client certificate it is necessary to follow its chain up to root certificate. Either you need to manually install each intermediate certificate on fetchmail system or you should put full chain in stunnel configuration.

“Sectigo RSA Domain Validation Secure Server CA” is intermediate certificate used to sign domain name certificates. It itself is signed by “USERTrust RSA Certification Authority” which is present in the list of trusted root CA. You need both to verify certificate issued to you.

Recently a update of stunnel forbids self-signed certificates
Care to elaborate? I see nothing in stunnel documentation, rather it explicitly explains in several places how to use self-signed certificate.

fperal · April 19, 2021, 10:58am

I have changed to the old self-signed key and restarted stunnel. I don think the error is the same it was before (it was two months or more ago, and I have kept an old release of stunnel since then until now I have upgraded to the last version) but there is a error


2021-04-19T10:50:47.460944+02:00 tutatis stunnel[20870]:  ] Initializing inetd mode configuration 
2021-04-19T10:50:47.461196+02:00 tutatis stunnel[20870]:  ] Clients allowed=500 
2021-04-19T10:50:47.461375+02:00 tutatis stunnel[20870]: .] stunnel 5.57 on x86_64-suse-linux-gnu platform 
2021-04-19T10:50:47.461533+02:00 tutatis stunnel[20870]: .] Compiled/running with OpenSSL 1.1.1d  10 Sep 2019 
2021-04-19T10:50:47.461686+02:00 tutatis stunnel[20870]: .] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 
2021-04-19T10:50:47.461861+02:00 tutatis stunnel[20870]:  ] errno: (*__errno_location ()) 
2021-04-19T10:50:47.462014+02:00 tutatis stunnel[20870]:  ] Initializing inetd mode configuration 
2021-04-19T10:50:47.462172+02:00 tutatis stunnel[20870]: .] Reading configuration from file /etc/stunnel/stunnel.conf 
2021-04-19T10:50:47.462310+02:00 tutatis stunnel[20870]: .] UTF-8 byte order mark not detected 
2021-04-19T10:50:47.462482+02:00 tutatis stunnel[20870]: .] FIPS mode disabled 
2021-04-19T10:50:47.462590+02:00 tutatis stunnel[20870]:  ] Compression disabled 
2021-04-19T10:50:47.462691+02:00 tutatis stunnel[20870]:  ] No PRNG seeding was required 
2021-04-19T10:50:47.462784+02:00 tutatis stunnel[20870]:  ] Initializing service [pop3s] 
2021-04-19T10:50:47.462875+02:00 tutatis stunnel[20870]:  ] stunnel default security level set: 2 
2021-04-19T10:50:47.462971+02:00 tutatis stunnel[20870]:  ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 
2021-04-19T10:50:47.463062+02:00 tutatis stunnel[20870]:  ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 
2021-04-19T10:50:47.463155+02:00 tutatis stunnel[20870]:  ] TLS options: 0x02100004 (+0x00000000, -0x00000000) 
2021-04-19T10:50:47.463247+02:00 tutatis stunnel[20870]:  ] Loading certificate from file: /etc/stunnel/stunnel.pem 
2021-04-19T10:50:47.463336+02:00 tutatis stunnel[20870]: !] SSL_CTX_use_certificate_chain_file: ssl/ssl_rsa.c:310: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
 small 
2021-04-19T10:50:47.463425+02:00 tutatis stunnel[20870]: !] Service [pop3s]: Failed to initialize TLS context 
2021-04-19T10:50:47.463521+02:00 tutatis stunnel[20870]: !] Configuration failed 
2021-04-19T10:50:47.463611+02:00 tutatis stunnel[20870]:  ] Deallocating temporary section defaults 
2021-04-19T10:50:47.463701+02:00 tutatis stunnel[20870]:  ] Deallocating section [pop3s]

And this is with the new keys


2021-04-19T10:53:01.047818+02:00 tutatis stunnel: LOG5[ui]: stunnel 5.57 on x86_64-suse-linux-gnu platform 
2021-04-19T10:53:01.048087+02:00 tutatis stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.1d  10 Sep 2019 
2021-04-19T10:53:01.048313+02:00 tutatis stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 
2021-04-19T10:53:01.048495+02:00 tutatis stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 
2021-04-19T10:53:01.048664+02:00 tutatis stunnel: LOG5[ui]: UTF-8 byte order mark not detected 
2021-04-19T10:53:01.048797+02:00 tutatis systemd[1]: Started TLS tunnel for network daemons. 
2021-04-19T10:53:01.049024+02:00 tutatis stunnel: LOG5[ui]: FIPS mode disabled 
2021-04-19T10:53:01.049120+02:00 tutatis stunnel: LOG5[ui]: Configuration successful 
2021-04-19T10:53:01.049215+02:00 tutatis stunnel: LOG5[ui]: Switched to chroot directory: /var/lib/stunnel/

arvidjaar · April 19, 2021, 1:58pm

fperal:


2021-04-19T10:50:47.463247+02:00 tutatis stunnel[20870]:  ] Loading certificate from file: /etc/stunnel/stunnel.pem 
2021-04-19T10:50:47.463336+02:00 tutatis stunnel[20870]: !] SSL_CTX_use_certificate_chain_file: ssl/ssl_rsa.c:310: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

It has nothing to do with self-signed. Use larger key size or configure OpenSSL to accept smaller keys.

Rabada · April 24, 2021, 7:35pm

How to secure your WordPress Multisite instance using SSL.

Simply put ssl stands for Secure Sockets Layer with the new standard called Transport Layer Security. So, what is it and why do you need/want to use it? Read on to learn all about SSL and WordPress multisite SSL
You can install SSL in your WordPress