Blue Iris 5 - Stunnel & HTTPS Issues

NathanUCR

n3wb
Joined
Jun 12, 2019
Messages
11
Reaction score
2
Location
Oregon
New user of Blue Iris, just going through all the videos to configure, specifically the stunnel video. Here is my setup:

Server - Windows 10 Patched and updated
Blue Iris 5
stunnel 5.55
Netgear Orbi router
Android - Essential PH1 on Q

Configs:
Port forward setup to BI Server - Port 8081 to 192.168.1.26

Blue Iris 5 Web server config:
Remote external x.x.x.x:8081
Local Lan 192.168.1.26:8081
Enable http web server on port 81
HTTPS Lan Also

Stunnel Confg:
Under TLS Client Mode
accept = 8081
connect = 81
cert = stunnel.pem



The problems:

On the server, if I open chrome and go to https://192.168.1.26:8081/ I get site cant be reached "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

On the server, if I open IE and go to https://192.168.1.26:8081/ works as expected.


From a workstation outside the network does the same thing, I can use IE but hates Chrome.

On the Android app, does not connect from outside the network. If I


Android App - Just simply does not connect.
If I use Chrome on the phone to browse to the site I get site cannot be reached. ERR_SSL_KEY_INCOMPATIBLE

Checking the log of stunnel I have lots of this error:
2019.06.12 14:35:07 LOG3[2734]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2734]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2019.06.12 14:35:07 LOG3[2735]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2735]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket


Anyone have any ideas?
 

Attachments

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Yes, connection via HTTPS. Dont want to use VPN.
It seems you need to update the stunnel.pem file

*NOTE* in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up from forum member walrus

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
 

ChrisnAng

n3wb
Joined
Sep 30, 2016
Messages
5
Reaction score
0
Location
Knoxille
I cannot save the stunnel.pem? I get the error I don't have permission to save in that location. Do I simply rename and save elsewhere?
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I cannot save the stunnel.pem? I get the error I don't have permission to save in that location. Do I simply rename and save elsewhere?
how are you editing and saving it? When did you download stunnel? I'm not sure if different in new model but it is just like saving any txt file (same program in windows).
 

ChrisnAng

n3wb
Joined
Sep 30, 2016
Messages
5
Reaction score
0
Location
Knoxille
how are you editing and saving it? When did you download stunnel? I'm not sure if different in new model but it is just like saving any txt file (same program in windows).
Saving in the original stunnel.pem location. I just downloaded Stunnel today. Using Notepad to edit.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Saving in the original stunnel.pem location. I just downloaded Stunnel today. Using Notepad to edit.
Did you open it through the stunnel program and then opens TXT file? Should simply save into config folder of stunnel folder and allow to overwrite. I wonder if you have a setting on windows not allowing it or maybe in use? try shutting down stunnel as server/program - open stunnel.pem in stunnel - config folder - open - edit and then save?

I have not seen the issue so I can only guess.
 

m3tpe

Young grasshopper
Joined
Apr 4, 2017
Messages
64
Reaction score
5
It seems you need to update the stunnel.pem file

*NOTE* in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up from forum member walrus

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
I can't get this to work? What do you mean by no-ip domain?
 

ChrisnAng

n3wb
Joined
Sep 30, 2016
Messages
5
Reaction score
0
Location
Knoxille
This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.
So, just making sure I understand, as the instructions are a little vague.

I find one of the 4 "stunnel.pem" files on my computer (guidance to which one will be helpful), open in wordpad, change the text, "BEGIN PRIVATE KEY" and "END PRIVATE KEY" to "BEGIN RSA PRIVATE KEY" and "END RSA PRIVATE KEY"? Then copy and paste "key" and "cert" content into the newly changed stunnel.pem file? Save file, reload in stunnel as instructed, and it should work?

So my new stunnel.pem file is about twice as big as it was initially, correct?

Is it possible use a real "certificate" in stunnel, and avoid all the self signed cert issues?

Thanks!!
 

Gunn

n3wb
Joined
Jun 11, 2018
Messages
1
Reaction score
0
Location
Maryland, USA
Saving in the original stunnel.pem location. I just downloaded Stunnel today. Using Notepad to edit.
Just working through this very same thread issue now. I had this same issue with saving an edited stunnel.pem file. It is because you are saving to a location that can only be written to by an administrator. So run notepad in Administrator mode when you start it. Or, use notepad++ and when you go to save it, it will let you know it can't and ask if you'd like to open it up in admin mode, allowing you to save.

So did you get it all working too?
 

Steve P

Getting the hang of it
Joined
Dec 30, 2019
Messages
12
Reaction score
30
Location
Lawn-guy-land NY
I just joined to say that I had this same issue and this post (linked to from a reddit post) fixed the issue. Same problems as OP not working with chrome or android BI app but worked in edge.

Thanks for this page!
 

Richdem

Getting the hang of it
Joined
May 12, 2015
Messages
107
Reaction score
39
It seems you need to update the stunnel.pem file

NOTE in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up from forum member walrus

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
Thank you so much for this,

I just upgraded my S9 Plus to Android 10 last night and had the same issue,

Followed your steps and it is working again

Cheers
 

miles267

n3wb
Joined
Dec 25, 2014
Messages
17
Reaction score
4
Unfortunately I've tried these steps. However when I launch stunnel GUI, it attempts to load my stunnel.pem but returns the following error:

[ ] Running on Windows 6.2
[ ] No limit detected for the number of clients
[.] stunnel 5.56 on x64-pc-mingw32-gnu platform
[.] Compiled/running with OpenSSL 1.1.1c 28 May 2019
[.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
[ ] errno: (*_errno())
[ ] GUI message loop initialized
[ ] Running on Windows 6.2
[.] Reading configuration from file stunnel.conf
[.] UTF-8 byte order mark detected
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [blueiris]
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Loading certificate from file: stunnel.pem
[ ] Certificate loaded from file: stunnel.pem
[ ] Loading private key from file: stunnel.pem
[!] error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file: PEM lib
[!] error queue: crypto/pem/pem_pkey.c:88: error:0907B00D: PEM routines: PEM_read_bio_PrivateKey:ASN1 lib
[!] error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[!] Wrong passphrase: retrying
[!] error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file: PEM lib
[!] error queue: crypto/pem/pem_pkey.c:88: error:0907B00D: PEM routines: PEM_read_bio_PrivateKey:ASN1 lib
[!] error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[!] Wrong passphrase: retrying
[!] error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file: PEM lib
[!] error queue: crypto/pem/pem_pkey.c:88: error:0907B00D: PEM routines: PEM_read_bio_PrivateKey:ASN1 lib
[!] error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
[!] SSL_CTX_use_PrivateKey_file: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[!] Service [blueiris]: Failed to initialize TLS context
[ ] Deallocating section defaults

[!] Server is down
 
Last edited:
Top