Blue Iris 5 - Stunnel & HTTPS Issues

Discussion in 'Troubleshooting' started by NathanUCR, Jun 12, 2019.

Share This Page

  1. NathanUCR

    NathanUCR n3wb

    Joined:
    Jun 12, 2019
    Messages:
    11
    Likes Received:
    2
    Location:
    Oregon
    New user of Blue Iris, just going through all the videos to configure, specifically the stunnel video. Here is my setup:

    Server - Windows 10 Patched and updated
    Blue Iris 5
    stunnel 5.55
    Netgear Orbi router
    Android - Essential PH1 on Q

    Configs:
    Port forward setup to BI Server - Port 8081 to 192.168.1.26

    Blue Iris 5 Web server config:
    Remote external x.x.x.x:8081
    Local Lan 192.168.1.26:8081
    Enable http web server on port 81
    HTTPS Lan Also

    Stunnel Confg:
    Under TLS Client Mode
    accept = 8081
    connect = 81
    cert = stunnel.pem



    The problems:

    On the server, if I open chrome and go to https://192.168.1.26:8081/ I get site cant be reached "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

    On the server, if I open IE and go to https://192.168.1.26:8081/ works as expected.


    From a workstation outside the network does the same thing, I can use IE but hates Chrome.

    On the Android app, does not connect from outside the network. If I


    Android App - Just simply does not connect.
    If I use Chrome on the phone to browse to the site I get site cannot be reached. ERR_SSL_KEY_INCOMPATIBLE

    Checking the log of stunnel I have lots of this error:
    2019.06.12 14:35:07 LOG3[2734]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
    2019.06.12 14:35:07 LOG5[2734]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
    2019.06.12 14:35:07 LOG3[2735]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
    2019.06.12 14:35:07 LOG5[2735]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket


    Anyone have any ideas?
     

    Attached Files:

  2. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
  3. NathanUCR

    NathanUCR n3wb

    Joined:
    Jun 12, 2019
    Messages:
    11
    Likes Received:
    2
    Location:
    Oregon
    Yes, connection via HTTPS. Dont want to use VPN.
     
  4. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    It seems you need to update the stunnel.pem file

    *NOTE* in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
    @Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

    Website used for SSL:
    Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

    See steps below to set this up from forum member walrus

    After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

    This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

    It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


    The Stunnel program is a bit of a mess to get working. I find it works as follows:

    If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
    If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
    To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

    Upon a windows restart, whatever you had running (service or GUI) will run again.
     
    NathanUCR likes this.
  5. NathanUCR

    NathanUCR n3wb

    Joined:
    Jun 12, 2019
    Messages:
    11
    Likes Received:
    2
    Location:
    Oregon
    Hot damn... That worked! Thank you!
     
  6. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    Very good! Just remember you have to update it every 3 months.
     
    NathanUCR likes this.
  7. Walrus

    Walrus Getting comfortable

    Joined:
    Nov 19, 2018
    Messages:
    371
    Likes Received:
    252
    Location:
    Ontario
    TL1096r likes this.
  8. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    ha. I just copy and pasted your work :) you are the real hero here.

    Thanks
     
  9. ChrisnAng

    ChrisnAng n3wb

    Joined:
    Sep 30, 2016
    Messages:
    5
    Likes Received:
    0
    Location:
    Knoxille
    I cannot save the stunnel.pem? I get the error I don't have permission to save in that location. Do I simply rename and save elsewhere?
     
  10. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    how are you editing and saving it? When did you download stunnel? I'm not sure if different in new model but it is just like saving any txt file (same program in windows).
     
  11. ChrisnAng

    ChrisnAng n3wb

    Joined:
    Sep 30, 2016
    Messages:
    5
    Likes Received:
    0
    Location:
    Knoxille
    Saving in the original stunnel.pem location. I just downloaded Stunnel today. Using Notepad to edit.
     
  12. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    Did you open it through the stunnel program and then opens TXT file? Should simply save into config folder of stunnel folder and allow to overwrite. I wonder if you have a setting on windows not allowing it or maybe in use? try shutting down stunnel as server/program - open stunnel.pem in stunnel - config folder - open - edit and then save?

    I have not seen the issue so I can only guess.
     
  13. m3tpe

    m3tpe Young grasshopper

    Joined:
    Apr 4, 2017
    Messages:
    55
    Likes Received:
    4
    I can't get this to work? What do you mean by no-ip domain?
     
  14. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    890
    Likes Received:
    205
    Use your IP address then instead.
     
  15. ChrisnAng

    ChrisnAng n3wb

    Joined:
    Sep 30, 2016
    Messages:
    5
    Likes Received:
    0
    Location:
    Knoxille
    So, just making sure I understand, as the instructions are a little vague.

    I find one of the 4 "stunnel.pem" files on my computer (guidance to which one will be helpful), open in wordpad, change the text, "BEGIN PRIVATE KEY" and "END PRIVATE KEY" to "BEGIN RSA PRIVATE KEY" and "END RSA PRIVATE KEY"? Then copy and paste "key" and "cert" content into the newly changed stunnel.pem file? Save file, reload in stunnel as instructed, and it should work?

    So my new stunnel.pem file is about twice as big as it was initially, correct?

    Is it possible use a real "certificate" in stunnel, and avoid all the self signed cert issues?

    Thanks!!