Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

stunnel?

Options
  • 02-04-2011 5:22pm
    #1
    shayser
    Closed Accounts Posts: 1,650 ✭✭✭


    I am trying to use stunnel to get an old mail server, that doesn't do SSL for POP, to connect to gmail. It's on Windows 2000.

    I had it working with the provided test pem file but after reinstalling the service to fix another issue it stopped working.

    The error is:

    2011.04.01 23:21:42 LOG3[1492:2412]: Error reading certificate file: stunnel.pem
    2011.04.01 23:21:42 LOG3[1492:2412]: error queue: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
    2011.04.01 23:21:42 LOG3[1492:2412]: SSL_CTX_use_certificate_chain_file: 906D066: error:0906D066:PEM routines:PEM_read_bio:bad end line
    2011.04.01 23:21:42 LOG3[1492:1872]: local socket: Interrupted system call (WSAEINTR) (10004)
    2011.04.01 23:21:42 LOG3[1492:1872]: accept: Interrupted system call (WSAEINTR) (10004)

    I suspect the issue might be the formatting of the pem file.

    Anyone encounter this error or have any ideas?

    Also, did anyone successfully build their own pem file (in Windows)? I am running stunnel\openssl\ce\build.bat but don't see the result.

    Thanks.


Comments

  • Options
    #2
    [Deleted User]
    Posts: 4,630 ✭✭✭ [Deleted User]


    You can just create a new certificate, replacing the one that you have.

    Open openssl.exe and type:
    req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

    Or set the days to 3650, or whatever. Replace the old stunnel.pem cert with your new one, then restart stunnel. That should solve any issues with the cert.

    If you haven't the standalone openssl package installed you should download it to C:. You'll then find openssl.exe in the C:\openssl\bin folder.


  • Options
    #3
    shayser
    Closed Accounts Posts: 1,650 ✭✭✭shayser


    That worked for creating the new pem file.

    Still having problems getting stunnel to read it.

    Stunnel says:
    There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:
    BEGIN RSA PRIVATE KEY
    [encoded key]
    END RSA PRIVATE KEY
    [empty line]
    BEGIN CERTIFICATE
    [encoded certificate]
    END CERTIFICATE
    [empty line]
    Unless this formatting is done stunnel with not read the file. After I do the formatting, I get the error in my OP.

    Unformatted, newly created pem file:

    153824.gif

    Edited to required fromat:

    153825.gif

    I have tried with the arrowed characters above included and excluded. Are these new lines?


  • Options
    #4
    shayser
    Closed Accounts Posts: 1,650 ✭✭✭shayser


    The formatting issue occurs in notepad, not in wordpad.

    In wordpad, the pem file is "clean" with the familiar lines of characters and a clear beginning and end for the key and the cert. In notepad, everything is in a single line of text with the added end-of-line chars.

    So, I don't do anything to the pem file, load stunnel, but it does not read the pem file. When I open the file to create the two blank lines as per the instructions and save, Wordpad warns me that I'm saving in text only and that all formatting will be lost. Does this matter.

    I'm stumped now, there's not a lot to it so don't know what I'm doing wrong. We're meant to be porting to gmail on Monday. Won't be happening if this isn't sorted.


  • Options
    #5
    swampgas
    Registered Users Posts: 3,565 ✭✭✭swampgas


    Just a wild guess here - but is the stunnel pem file supposed to be in Unix format?

    If you use something like Notepad++ (freebie) to edit the file as required, then save it in Unix format, maybe that will work.

    From what I gather after a quick google, you may only need a blank line at the end:
    -----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]

    Might be worth a shot ...

    Note: Notepad++ hides the file format menu in "Edit > EOL Conversion"


  • Options
    #6
    shayser
    Closed Accounts Posts: 1,650 ✭✭✭shayser


    Cheers for the suggestions. Didn't work unfortunately.

    This is the command to create the key from the stunnel how-to:

    req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

    I left out the -config swich as this was giving an error and got the same error again when I copied stunnel.cnf to the same directory. Using this command I get BEGIN PRIVATE KEY/END PRIVATE KEY not BEGIN RSA PRIVATE KEY/END RSA PRIVATE KEY. Might this be the the problem? Will start again with JammyDodger's and Stunnel's commands.

    EDIT: JammyDodger, when I run your command the pem file does not have a private key, just the cert!


  • Advertisement
  • Options
    #7
    swampgas
    Registered Users Posts: 3,565 ✭✭✭swampgas


    Maybe try this:
    req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.key -out mycert.pem

    Then combine the two output files manually.


Advertisement