Stunnel and getting a signed SSL Cert -

Discussion in 'Blue Iris' started by Dasstrum, Dec 25, 2018.

Share This Page

  1. Dasstrum

    Dasstrum IPCT Contributor

    Joined:
    Nov 4, 2016
    Messages:
    484
    Likes Received:
    510
    Hey guys, first of Merry Christmas!

    I am in the process of creating a video on how to setup and configure stunnel with Blue Iris. I have spent the past few weeks tinkering with stunnel and have successfully configured it on my system.

    As a side note, while I am very familiar with Blue Iris I am NOT a network security expert. Up to a few weeks ago I had no clue on how to setup stunnel and to be honest it was a very intimidating task to take on. But after lots of reading/research I have a good understanding on the subject and would like to help others if they want to go this route.

    If anyone else is more familiar with this topic please send me a PM. I would like to share my video with them for a 'proof-read/watch' before publishing that way I know I'm using all the terms correctly and the content is accurate!

    Now to my question: When configuring stunnel I am creating a self-signed certificate during the installation process. Everything works great in the BI app and I am able to connect via "HTTPS" however when connecting via a web browser (chrome) I get that annoying "This site isn't secure, bla bla bla would you like to proceed" message. I know the reason that I getting the message is that my certificate isn't "signed".

    Can anyone explain the process of actually getting a CA to sign my certificate and avoid that annoying message?

    Thanks!
    Richard
     
    c hris527, bp2008 and keneil01 like this.
  2. dahukvision

    dahukvision n3wb

    Joined:
    Nov 22, 2017
    Messages:
    5
    Likes Received:
    9
    Because your certificate is "self signed", it still works perfectly well to encrypt the HTTPS traffic, but a random web browser doesn't know if it should be trusted or not.

    Every computer or phone or whatever has a master list of all certificates that it trusts. If a certificate isn't in that list, or isn't signed by a certificate in that list, then it is not trusted. That 'root' list of trustworthy certificates is updated by your operating system manufacturer - Microsoft, Apple, Google, Ubuntu, etc. There are very, very strict standards that a company must meet in order to get onto, and stay, on those various lists.

    To avoid your certificate error you can do one of two things - manually import the self-signed certificate into the trust store on the devices that will be using it ("add them to the list"), or convince a third party (a Certificate Authority) which your computer already trusts, to vouch for you.

    When you attempt to get a certificate for your domain from a certificate authority, say for example DigiCert, VeriSign, or Let's Encrypt, those organizations will first validate that you are the owner of the domain. If that domain is example.com, they will often require you prove your ownership by doing something to the domain's DNS records which only the owner could do. In the case of EV certificates (the "green bar" you see on bank websites) they might actually send a representative to your company to verify the company information and address are valid, and the request is real.

    Once they have verified that you own the domain, they will issue you certificates which ultimately say "the web server providing this certificate is the real example.com".

    They do that by signing your certificate (or "certificate request" which I won't get in to) with their certificate. Their signing certificate is already trusted by your computer/phone/browser/etc's trust store, so your example.com certificate is trusted via it.

    Now that all of that is explained - you go to your server and import the example.com certificate you got from a public CA. When any web browser then goes to your site, it gets an example.com certificate signed by that public CA certificate. The web browser trusts the public CA certificate, and as such your server certificate, so you get no error.
     
    Last edited: Dec 26, 2018
    bp2008 likes this.
  3. dahukvision

    dahukvision n3wb

    Joined:
    Nov 22, 2017
    Messages:
    5
    Likes Received:
    9
    I probably should have gotten into the certificate request part.

    In essence: your web server generates two things, a "private key" and a "certificate request".

    In a nutshell a certificate says "whoever has the private key which unlocks this certificate is the real owner of example.com".

    The certificate request file contains the domain name(s) that you will be using the certificate on, accurate geographical info, an expiry date, and some encryption details.

    You ship the request off to the public CA and they send you back your signed public certificate. You import that signed public certificate back into the web server to "complete the request".

    Your web server now has the signed public cert as well as the private key, so it can now serve webpages using the cert. If you need the same cert used on another server, you can now export it "with the private key".

    Remember to always keep your private keys safe and secure.
     
    Dasstrum and bp2008 like this.
  4. Dasstrum

    Dasstrum IPCT Contributor

    Joined:
    Nov 4, 2016
    Messages:
    484
    Likes Received:
    510
    Woah that's a lot of info! Thank you so much for taking to time and typing up all that. That helps me better understand the whole process and seems like entirely too much work for something that will be assessed privately and not shared.

    @dahukvision Are you familiar with using stunnel enough to review and proof-watch a video before I release it to make sure my information is factual and correct? It would be greatly appreciated!
     
  5. dahukvision

    dahukvision n3wb

    Joined:
    Nov 22, 2017
    Messages:
    5
    Likes Received:
    9
    I'm not extremely well versed in stunnel itself but I can certainly provide feedback! I can comment on just the technical content, or if you want pendantics and pickiness I can comment on the video itself :)
     
    awsum140 likes this.
  6. Choco

    Choco n3wb

    Joined:
    Jul 21, 2018
    Messages:
    13
    Likes Received:
    1
    Location:
    .
    I've just got stunnel up and running... kinda.
    The issue I have is when I logoff the BI server, stunnel shutsdown and you lose remote web access, log back and it works. Stunnel is running as a service.
    Any ideas on the stunnel config?
     
  7. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    796
    Likes Received:
    465
    Location:
    NY
    I just watched your video, very well laid out.
     
    Dasstrum likes this.
  8. Dasstrum

    Dasstrum IPCT Contributor

    Joined:
    Nov 4, 2016
    Messages:
    484
    Likes Received:
    510
    Thanks! That one took a little longer than normal to put together.
    For anyone else that hasn't seen it:


     
    Last edited: Jan 6, 2019