Stunnel on Windows with Signed Certificate

[Overcon]

Hi guys, I have been working on trying to set up stunnel on Windows 10 with Blue iris. I have got a self-signed certificate and stunnel works great. I am trying to get a signed certificate setup on the system. I generated to key and the crs request, set up the subdomain, and was issued the certificate, the bundle, and the pb7 file.

Stunnel requires a PEM file. I took the certificate I got and used this tool SSL Converter to create a pem file. I did the PKCS#7 to PEM and put in my .p7b file. It exported two files.

bdd62bb1beec27d6e4----4eb8bb3d16.crt
Inside:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt
Inside:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Obviously there is code between the lines.

In the stunnel config I have tried putting the certs above as:
cert = bdd62bb1beec27d6e4----4eb8bb3d16.crt

I have tried (this is the one I thought I would use):
cert = bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt

I have tried changing them to .pem files.

I have stripped almost everything out of the conf file for stunnel to avoid adding something by accident.

I just continue to get the same errors no matter what I do. I am close, but I must be missing something on the certificates, but I can't figure it out. I was hoping someone could step me through this and get this up and working with the signed certificate.

I get this in stuneel when I launch it:

2020.10.08 19:56:29 LOG5[main]: Reading configuration from file stunnel.conf
2020.10.08 19:56:29 LOG5[main]: UTF-8 byte order mark detected
2020.10.08 19:56:29 LOG6[main]: Initializing service [blueiris]
2020.10.08 19:56:29 LOG6[main]: Loading certificate from file: bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt
2020.10.08 19:56:29 LOG6[main]: Certificate loaded from file: bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt
2020.10.08 19:56:29 LOG6[main]: Loading private key from file: bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt
2020.10.08 19:56:29 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.10.08 19:56:29 LOG3[main]: SSL_CTX_use_PrivateKey_file: crypto/pem/pem_lib.c:745: error:0909006CEM routines:get_name:no start line
2020.10.08 19:56:29 LOG3[main]: Service [blueiris]: Failed to initialize TLS context
2020.10.08 19:56:29 LOG3[main]: Failed to reload the configuration file

In the browser, I get:

This site can’t be reached
The webpage at

https://redacted:8080/

might be temporarily down or it may have moved permanently to a new web address.

ERR_SSL_KEY_USAGE_INCOMPATIBLE

When I try and connect I get this (in stunnel):

2020.10.08 20:07:11 LOG5[41]: Service [blueiris] accepted connection from 172.16.1.1:63263
2020.10.08 20:07:11 LOG6[41]: Peer certificate not required
2020.10.08 20:07:11 LOG5[42]: Service [blueiris] accepted connection from 172.16.1.1:63264
2020.10.08 20:07:11 LOG6[42]: Peer certificate not required
2020.10.08 20:07:11 LOG3[41]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.10.08 20:07:11 LOG5[41]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.10.08 20:07:11 LOG3[42]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.10.08 20:07:11 LOG5[42]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.10.08 20:07:22 LOG5[43]: Service [blueiris] accepted connection from 172.16.1.1:63272
2020.10.08 20:07:22 LOG5[44]: Service [blueiris] accepted connection from 172.16.1.1:63273
2020.10.08 20:07:22 LOG6[43]: Peer certificate not required
2020.10.08 20:07:22 LOG6[44]: Peer certificate not required
2020.10.08 20:07:22 LOG3[43]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.10.08 20:07:22 LOG5[43]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.10.08 20:07:22 LOG3[44]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.10.08 20:07:22 LOG5[44]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Thanks all!

 

[mikeynags]

Did you bundle the private key into the CRT file? The line calling it out "Loading private key from file: bdd62bb1beec27d6e4----4eb8bb3d16-bundle.crt" is looking for the private key and I am assuming it doesn't find it in that file.

 

[Overcon]

My thought was that the private key was included in the pem file that was created from the p7b certificate? If not, Where do I add the private key, at the end of the crt bundle file? I did try to add the key file contents into the bundled crt at the front, it didn't change the message.

Thanks!

 

[Overcon]

I figured it out!

I took the KEY file contents and put them in a new text file. Then I took the crt file created from the provider and pasted it after the private key, then saved it as a pem file. Reloaded stunnel and bam, it's working.

 

[MattArnolds]

Thank you, I did the same for you.