STunnel & SSL

[SillyNoodlz]

Hi,

Ok, I tried searching the forum, but I couldn't find what I wanted quickly.

I've installed STunnel with the help of the tutorial on trustabyss.com, which was fairly easy.

I now have it working, and my pages work in https:// with no problem.

BUT ... I used that free SSL certificat thingy you can make on stunnel.org/pem

Whenever I view a page using SSL, it comes up with the following :



If I click on yes, it works fine.

So, the question is, how can I get rid of this message/alert thingy?

I assume that I need to get a "proper" certificat.

If that's the case, can I make one? If so, how, and where?
If not, where and how do I get one easily (without spending a fortune)?
_________________
~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com

[Anonymoose]

You can't make a 'proper' certificate. The whole point is that the certificate is generated by a trusted authority who are responsible for issuing certificates - you have to pay them to give you a certificate. The cost covers them running servers against which certificates can be verified etc...

The cheaper services you find selling SSL certificates are more likely to cause problems as peoples browsers will not be already updated to recognise root certificates / certificate authorities. The borderline price seems to be around $50 for a certificate - I don't know whether you consider this a fortune or not. You can either cough up or live with the security warning...

Edit: After a quick look around, Registerfly doesn't sound too bad...

http://registerfly.com/ssl/

$15-25 for their starter certificates...

You can also get a free certificate from CACert, but it will require users to update their browsers root certicate store, as I mentioned above.

http://www.cacert.org/index.php
_________________

• How To Ask Questions The Smart Way
  
• Abyss FAQ
  

"Invent an idiot proof webserver and they'll invent a better idiot..."

[SillyNoodlz]

$50 isn't excessive, just when I looked around, prices seemed to go between $15 and $850!

I'll have a look into that site and let you know how I get on ...

Thanks for your reply anyway ... :-)
_________________
~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com

[SillyNoodlz]

Ok ... got so far ... :-/

Could somebody please explain how I make a CSR ?

It gives me various options, non of which I understand, really, and none of which are Abyss or STunnel (not suprising).

[SillyNoodlz]

Ok, after alot of pissing about, I got there ... :-)

https://host.danzserv.com/test/ssl/

And it only cost me $15,99 and a few hours of head scratching.

Now, is it possible to do the same for my other sites ... hmmm ...
_________________
~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com

[Anonymoose]

Perfect! I think that's the first time anyone's done this with Abyss & STunnel... Congratulations!

Maybe you could add here the information about how you generated the CSR so it can be added to the TrustAbyss tutorial?
_________________

• How To Ask Questions The Smart Way
  
• Abyss FAQ
  

"Invent an idiot proof webserver and they'll invent a better idiot..."

[SillyNoodlz]

[richardyork]

Brilliant!

Like anonymoose said, hope to see a tutorial ;-)
_________________
Please SEARCH the forums BEFORE asking questions!

[Anonymoose]

[ddd admin]

Like Silly Noodlz, I too have gotten STunnel running with OpenSSL. I created a private key, generated the CSR...

Submitted that to GoDaddy.com for my $29 cert and got my cert!

Now, here's the only problem:

How do I install the intermediate cert and the main cert???

No where in the OpenSSL docs (as limited as they are) does it say??? Abyss doesn't presently support SSL, so I'm not quite sure how to install these shiny new files that I just bought??

HELP!!!!!!!

And thank you!

[TRUSTAbyss]

You will need to contact the STunnel people about that issue.

http://www.stunnel.org

[ddd admin]

I will do that, thank you!

[aprelium]

[ddd admin]

Thank you VERY much, I completely understand your instructions and I created the new file as you indicated, my new cert (called mycert.crt) contains the following information in this order:

valicert_class2_root.cer
sf_issuing.crt
mywebsite.com.crt

Obviously I'm just referencing the names of the files, the actual content in between the:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
is there as you had indicated in your example.


Unfortunately, now the Stunnel server won't start, this is the error it comes back with:

2005.12.15 14:23:08 LOG5[2116:2120]: stunnel 4.14 on x86-pc-mingw32-gnu WIN32+SELECT+IPv6 with OpenSSL 0.9.7i 14 Oct 2005
2005.12.15 14:23:08 LOG3[2116:2124]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2005.12.15 14:23:08 LOG3[2116:2124]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line

2005.12.15 14:23:08 LOG3[2116:2124]: Server is down


I looked in the original "cert" file that came with STunnel (which is called stunnel.pem) and the context of the contents there followed this format:

-----BEGIN RSA PRIVATE KEY-----
encrypted information...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
encrypted information...
-----END CERTIFICATE-----

Is there a reason that the stunnel.pem file had a begin and end RSA private key? And is that the reason that this new cert isn't working (since it now has 3 sections, all of which begin and end for certificates, not RSA private keys)?? Also, just to be sure, I created my new cert using the "stunnel.pem" file name and repointed the stunnel.conf file there, but that didn't work either.

Any ideas or suggestions?? I'm sure it must be something simple??

Thank you all again.

[aprelium]

ddd admin,

It looks like STunel expects the key to be also in the "certificate" file. So all you have to do is to insert it before the certificates.

Your file should now look as the following:

[ddd admin]

It still does not work??

I have created the file, just as you layed out in your prior post, however, now it is generating a different error message:

2005.12.19 18:27:10 LOG5[7800:4480]: stunnel 4.14 on x86-pc-mingw32-gnu WIN32+SELECT+IPv6 with OpenSSL 0.9.7i 14 Oct 2005
2005.12.19 18:27:10 LOG3[7800:7956]: SSL_CTX_use_RSAPrivateKey_file: B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

2005.12.19 18:27:10 LOG3[7800:7956]: Server is down

I know it has to be something simple, I'm just not sure where to look to fix it. I compared the temporary cert I created from the openssl website and it just has the RSA code and then the cert code in it. My new file now has the RSA code followed by the code from the valicert root, the sf issuing cert and finally my new cert in this format:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

I have read on the Stunnel site that I needed a space between the RSA key and the cert(s)...that didn't work. I also tried creating a .PEM file that just contained the RSA key and the goDaddy cert so it followed the format of the temp one I have that does work...but no luck there either??

My guess is that the RSA key somehow needs to be linked or created from(?) the goDaddy cert, but I have no clue how to do that?

Can you suggest something else??

[aprelium]

ddd admin,

The error is related to mismatched keys:

[ddd admin]

No, I didn't copy the file in that I used to create the CSR, I created a new RSA key. The original .PEM file from Stunnel had a RSA key as well as the cert information in it. If I include the info used to create the CSR, that won't be a RSA key???

[aprelium]

ddd admin,

STunnel must have your certificate and your private key in order to encrypt data. Both must match which means that the private key must be the same one that generated the CSR which has beem used by GoDaddy to generate your certificate.

You cannot use any combination of keys and certificates.

You said:

[ddd admin]

It's working...but not without a ton of effort (and help from Aprelium!). Here's what it took:

Recreated the RSA key to generate the CSR (the key MUST be unencrypted)
resubmitted the CSR for a new cert.
Pasted the RSA key that made the CSR into the stunnel.pem document followed by a CR
Pasted the root cert into the stunnel.pem document followed by a CR
Edited the stunnel.conf file as such: CAfile = valicert_class2_root.cer

It all works fine now. Except one thing, LOL...

When I try and create a new host on the server and tell it to listen on port 443, it won't start (generates a "listening error")??

Do I now have the web server app configured wrong??

[aprelium]

[ddd admin]

I figured that out after the post, but thank you for all your help! Please keep all of us posted on your progress with the SSL version of the application, I'm sure it has to be MUCH simpler to set up than what I've gone through with Stunnel and openssl :)

[aprelium]

ddd admin,

You're welcome. :-)
_________________
Support Team
Aprelium - http://www.aprelium.com

[gray]

Good to see someone got it working O.K. but can anyone tell me how to generate my PRIVATE KEY and CSR ? I`ve got ssl working fine with a key from stunnel but I want to get a proper valid one

[ddd admin]

In order for everything to work properly, you HAVE to have it right from the beginning, in other words, it's all linked together.

The privkey.pem file that came with openssl (the one you probably used to create your csr or cert) won't work for your site. Read through the materials at openssl or at the stunnel site, one of them gives the command that you need to use within openssl.exe to create a new RSA key (that's the file called privkey.pem). You can also go thru the help function within openssl.exe to get assistance. Make SURE you set all the parameters correct when you create the RSA key, and that you remember the information you entered.
Once you have that key, you will use it to create your CSR. You don't have to call it privkey.pem, you can name it yourkey.pem or whatever. Again, when you make the CSR, make certain that your information is exact with what corresponds in the key. Once you've done that, you can submit the CSR to a GoDaddy or Verisign or whomever if you want to purchase your cert. Or you can create a self signed cert from the CSR as well.

I would suggest you read through the thread here because once you have your cert, Aprelium is right in that you have to create a new file that includes the key, the CA and the cert in the format that they indicated.

It's not a lot of fun going through all this, but it is cool when you finally get everything working. I ended up swapping my phpbb over to port 443 and running it SSL which (of course) created a wealth of other issues...but that's another post!

Good luck

[gray]

thanks for that bit of help, I`ve eventually managed to create an RSA and CSR files and tried a couple of free certificates from Verisign etc. they work but of course when browsed they come up with warnings ... so i`ve paid Litessl and they`ve sent me 4 certificates ! I`ve created an Stunnel.pem file with all 4 certs one after the other, now I can open https:// pages but the padlock doesn`t show ! the 4 certs are mysite.crt AddTrustUTNServerCA.crt LiteSSLCA.crt and UTN-USERFirst-Hardware.crt , what am I doing wrong ? do I have to name the certs in the conf file or something ? or put them in a different order ? or somewhere else on the server machine ? any help is much appreciated....

[gray]

well i`ll add to my last post.... it is working but the padlock only shows on some pages and not on others very strange, I can access all pages through https:// but some don`t show as secure.... I can`t see any logical reason , I thought it might be pages with outside links that aren`t secure but it`s not that , it`s not even just pages inside folders.... some of them are secure, some not... my sites are at https://a1uk.net if anyone want`s to take a look , I`d be interested in any ideas to solve this anomoly ... cheers....

[gray]

I think I`m too good at solving my own problems l.o.l. it seems that pages with actve outside links to none secure sites will cause the padlock not to show... so anyone using SSL should take this into account when creating pages.

[ccs]

Ok, I've spent the better part of 12 hours trying to get Abyss and sTunnel to work. I have ONE site that needs SSL. I've installed sTunnel and it works fine with the "default" certificate but of course I need my purchased cert for this site, not a made-up one.

I've installed SSL on Apache and Sambar in the past. Together I don't think I spent 10 minutes.

I really don't want to give up on Abyss, but it seems like I keep hitting brick walls. Is it really this hard to make a decent web server with all the necessary components to run a business site??????

Before I toss in the towel and go back to Sambar AGAIN, is there anyone out there who can tell me, in simple English, step-by-step, exactly how to take a previously purchased (and working) SSL certificate and use it with Abyss?

Thank you in advance for ANY and all assistance.

[gray]

well the only prob I had was getting the cert to work, but in the end it was just a matter of installing Stunnel on the server machine, putting the certs together in a file and naming the file stunnel.pem then accessing the sites via https:// there`s no actual connection between Stunnel and Abyss , the only thing I don`t like is that all connections via https:// show as 127.0.0.1 ip but apart from that it works fine, hope this helps. by the way the Stunnel.conf file simply reads
[web]
accept=443
connect=80
also it`s important that the cert. is created for the correct URL etc.

[aprelium]

ccs,

The problem you have is with STunnel needing all the certificates in one file. Refer to our exchange with ddd admin above in this thread. He experienced a similar problem.

How many certicate files do you have? From which company have you bought your SSL certificate?
_________________
Support Team
Aprelium - http://www.aprelium.com

[ccs]

[admin]

ccs,

All we can find in your message is "it does not work". Could you please explain us better how is it behaving? Is STunnel reporting an error message? If so, what is it exactly?

Of course, you can contact our technical support if you want us to check the certificate files and the way you've assembled them in a single file.

Thanks.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com

[ccs]

Thanks for the reply.

The error message I get when I try to start sTunnel is:

[admin]

ccs,

The error messages are very cryptic unless you have already programmed OpenSSL (which is used by STunnel).
In your case, STunnel asked OpenSSL to read the PEM file but it failed to decode it. It seems that you have not respected the format or that some characters or lines were corrupted.

Could you send us the PEM file you are using so that we check it? Knowing that it could contain sensitive information we ask you to substitute (in place) the encrypted data characters of your key section with * without changing the general layout of the file. Please do not move or change the sections headers and footers (such as -----BEGIN CERTIFICATE-----).

Note that only the private key section has to remain secret. The rest of the file contains public certificates that anyone could know by accessing your web site and retrieving the certificate exchanged between the server and the browser.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com

[ccs]

Well, I finally have some time to try and figure this out again. I'd be happy to send you all my certificates, but I'm not even sure which ones are what and how they fit into all this. So, let me give you a bit of the background with some basic questions and maybe I can make Abyss my production server again.

First of all. I have a certificate from GoDaddy. I purchased it last September and honestly don't remember anything about how I created it. All I know is they sent it to me via email, I stuck in into the Sambar Config folder along with a small change in the ini file and it worked just fine.

If I need to buy a new cert, so be it, but if I can keep using this one, that's even better.

What I have now are these files, all encrypted:

• sf_issuing.crt
  
• valicert_class2_root.cer
  
• ca.crt
  
• cert.pem
  
• key.pem
  
• ca-bundle.crt
  

In the Sambar config.ini file, there are these lines:

Public Key = Sambar Server Encryption Key
Certificate File = cert.pem
Private Key File = key.pem
CA Certificate File = ca-bundle.crt

I'm assuming then, that the cert.pem is the certificate GoDaddy issued to me and key.pem is the encrypted private key (I created?) ?

So, now the question is, do these files look like the right ones, or do I need something else?

Is it possible to construct a proper security file for sTunnel using these files?

My concern is that, it looks like I might need to know the private key in an unencrypted form. If that's the case, I'm 99% sure I don't have it, and probably can't guess what it would have been. If that is necessary, can I somehow create a new private key, or would be be faster/easier just to purchase a new one? Money is not nearly as important to me as time, so if I'm willing to do what is necessary to get this working as soon as possible, even if I need a new certificate.

Thanks again!
--Joe

[admin]

[ccs]

Very well. the file is on its way.

Thanks!

[ccs]

[aprelium]

ccs,

You're welcome.
_________________
Support Team
Aprelium - http://www.aprelium.com

[ccs]

Just a quick follow-up. I have finished the conversion of my first ecommerce site from Sambar to Abyss!!!

The site is 45% dynamic with a number of compiled CGI applications and I'm using sTunnel for the SSL support. (Thanks again for the help!)

I'm glad to report that all of the browsers I've tested are rendering the pages properly, Sambar had trouble with Firefox and Opera. The speed of the CGI applications appears to be quite good. Hard to say if the FastCGI support makes a difference or not, but if it keeps the programs in memory rather than closing them each time, great, if not, well they are performing just fine even under heavy test loads.

I'd like to toss my hat into the beta ring for the time that native SSL is in development. While sTunnel is working, I'm still uncomfortable with additional layers on top with critical production servers.

Thanks again....I'm back to being a loyal and happy Aprelium customer :)

[aprelium]

ccs,

Thank you for the update and for your positive feedback. We've already added you to the list of our Beta testers and will contact you as soon as a preview of the SSL release is ready.
_________________
Support Team
Aprelium - http://www.aprelium.com

[Siert]

Same problems here: help!

I have 3 files. My stunnel.conf configuration:

1. CAfile = xxxxx.ca-bundle
2. cert = xxxxx.crt
3. key = xxxxx.key (encrypted RSA-key)

STunnel is stopped by Windows!

When I use cert = stunnel.pem (without CAfile and key) STunnel works well, but don't use my SSL-certificates.

What's wrong?
The RSA-key must be non-encrypted?
Or only 1 cert.pem file needed (with copy and paste)?

Thanks for your help!

[aprelium]

Siert,

What is the exact error message that is reported by STunnel?
_________________
Support Team
Aprelium - http://www.aprelium.com

[Siert]

All problems gone!
It's working now. Great!

I de-encrypted my xxxxx.key:
openssl rsa -in xxxxx.key -out new.key

and changed stunnel.conf:
key = new.key

Done!
(no need to make 1 stunnel.pem file: in fact, I deleted all .pem files. I think it's better to use the separate, original 3 files you create yourself and get back from your SSL-certificates provider) ...

Thank's for trying to help me ...

I like STunnel: no need to change Abyss Web Server. The same files can be handled by other webserver applications that use OpenSSL (like that Indian).

[aprelium-beta]

Native SSL support is now available. Please check the Beta version of Abyss Web Server 2.5 in http://www.aprelium.com/forum/viewforum.php?f=32 .
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com