Cert errors ....... need help!
Hi all, I have take over a stunnel install and all the clients certs have expired. I have been trying for the past 2 days to get the new step up to work but no such luck. Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05: 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left) And here is the output on the client side: 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt. I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well? Is there something I have missed? Any ideas as to what I can check to see where the issue is? I am desperate, any help would be greatly appreciated. Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Update: I have turned on debugging in the client side and have fund the following errors: 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left) Any ideas? Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+ Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Richard Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client certificate file in your stunnel server with certain way. Try to use verify=2, that only checks ca cert portion. regards taka On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston <rhouston@rlhc.net> wrote:
Update:
I have turned on debugging in the client side and have fund the following errors:
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
Any ideas?
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi there, Tried dropping the client and server to verify=2 and still get the same issue. Still getting this error: error=unable to get local issuer certificate: Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+ ikeda@areabe said:
Hi Richard
Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client certificate file in your stunnel server with certain way.
Try to use verify=2, that only checks ca cert portion.
regards taka On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston <rhouston@rlhc.net> wrote:
Update:
I have turned on debugging in the client side and have fund the following errors:
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
Any ideas?
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Richard, On Thu, 17 Mar 2005, Richard Houston wrote:
I have take over a stunnel install and all the clients certs have expired.
I didn't read anywhere in your logs the certs had expired ;). Could you please send over the config of both your server and your client? It's probably something simple but looks like you made errors in both configs. Jan -- http://www.surfnet.nl/organisatie/jame
Jan Meijer said:
Hi Richard,
On Thu, 17 Mar 2005, Richard Houston wrote:
I have take over a stunnel install and all the clients certs have expired.
I didn't read anywhere in your logs the certs had expired ;).
Could you please send over the config of both your server and your client? It's probably something simple but looks like you made errors in both configs.
Jan
Hi Jan, I have replace the keys alreay. These are new keys altogether. Here is the configs as requested: Server: cert = /etc/stunnel/server.pem #chroot = /usr/local/var/run/stunnel/ # PID is created inside chroot jail pid = /tmp/stunnel.pid setuid = nobody #setgid = nogroup foreground = no # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Authentication stuff verify = 333 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /etc/stunnel/certs # or simply use CAfile instead: CAfile = /etc/stunnel/cacert.pem # Some debugging stuff debug = 7 output = /var/log/stunnel.log # Use it for client mode #client = yes # Service-level configuration [school4] accept = XX.XXX.XXX.XXX:443 connect = 10.10.10.12:23 TIMEOUTidle = 3600 Client: CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem client = yes verify = 2 debug=7 [schools] accept = 23 connect = XX.XXXX.XX.XX:443 Thanks for the help!
On Thu, 17 Mar 2005, Richard Houston wrote:
I have replace the keys alreay. These are new keys altogether.
It's not the keys that are wrong, they're in the wrong places. The verify failure indicates just that: both server and client have problems verifying the authenticity of oneanother. Now try this. At the server side: -change verify in '=2' At the client side: Make sure the client certificate is not commented out as it looks like in your config:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem
Without a certificate at the client side there's no way the client will ever authenticate to your 'verify = 2' server. Secondly; remove the 'CAPath' directive from your client configuration and add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy the cacert.pem to your client ;). I trust you did not include the private key of your CA in cacert.pem ;). Let me know what happens. Jan -- http://www.surfnet.nl/organisatie/jame
K, error are a bit deferent this time..... Server: 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:58:00 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin@XXXX 2005.03.17 13:58:00 LOG7[13122:3086949296]: SSL alert (write): fatal: bad certificate 2005.03.17 13:58:00 LOG3[13122:3086949296]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2005.03.17 13:58:00 LOG7[13122:3086949296]: school4 finished (0 left) Client: 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #1: EWOULDBLOCK: retrying 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=write 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #2: EINVAL: ok 2005.03.17 13:02:46 LOG7[768:1148]: Remote FD=688 initialized 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): before/connect initialization 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): SSLv3 write client hello A 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=read 2005.03.17 13:02:49 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin@XXXXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left) What should I check next? Is it possible I screwed up making the certs? Thanks again for you continued help. Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail <rhouston@rlhc.net> /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+ Jan Meijer said:
On Thu, 17 Mar 2005, Richard Houston wrote:
I have replace the keys alreay. These are new keys altogether.
It's not the keys that are wrong, they're in the wrong places. The verify failure indicates just that: both server and client have problems verifying the authenticity of oneanother.
Now try this.
At the server side:
-change verify in '=2'
At the client side:
Make sure the client certificate is not commented out as it looks like in your config:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem
Without a certificate at the client side there's no way the client will ever authenticate to your 'verify = 2' server.
Secondly; remove the 'CAPath' directive from your client configuration and add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy the cacert.pem to your client ;).
I trust you did not include the private key of your CA in cacert.pem ;).
Let me know what happens.
Hi Richard, On Thu, 17 Mar 2005, Richard Houston wrote:
K, error are a bit deferent this time.....
2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin@XXXX
This error states the server is unable to find the CA certificate that issued the client certificate. This client-error:
2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin@XXXXXXX
basically says the same. Just wondering: you *do* have a CA right? Not that you definately need one, that kinda depends on your setup. Point is that as you configured your setup with a CA the client- and server-certificate need to be issued by that CA. Jan -- http://www.surfnet.nl/organisatie/jame
participants (3)
-
ikeda@areabe -
Jan Meijer -
Richard Houston