Are you starting and editing stunnel from the GUI ? or editing it via a text editor? just a thought incase the text editor is adding some unwanted character
stunnel
- Thread starter matsburr
- Start date
Yes I am editing from the GUI from the menu options. I must be missing something that is not very obvious. Just not working for me!
Is there any other thread forum, where some expert can help?
Thanks for responding. I tried the line requireCert = no instead of cert = stunnel.pem but i get following error message which still asks for a certificate.
2017.04.24 06:06:19 LOG5[main]: Reading configuration from file stunnel.conf
2017.04.24 06:06:19 LOG5[main]: UTF-8 byte order mark detected
2017.04.24 06:06:19 LOG5[main]: FIPS mode disabled
2017.04.24 06:06:19 LOG3[main]: Service [blue-iris]: TLS server needs a certificate
2017.04.24 06:06:19 LOG3[main]: Failed to reload the configuration file
I tried requireCert = no with cert = stunnel.pem, this gives the same old error of Failed initialize TLS context.
2017.04.24 06:08:49 LOG5[main]: Reading configuration from file stunnel.conf
2017.04.24 06:08:49 LOG5[main]: UTF-8 byte order mark detected
2017.04.24 06:08:49 LOG5[main]: FIPS mode disabled
2017.04.24 06:08:49 LOG3[main]: error queue: 140DC009: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file
EM lib2017.04.24 06:08:49 LOG3[main]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C
EM routinesEM_read_bio:no start line2017.04.24 06:08:49 LOG3[main]: Service [blue-iris]: Failed to initialize TLS context
2017.04.24 06:08:49 LOG3[main]: Failed to reload the configuration file
:-(
Hi as a test of requireCert = no, I modified my config file to
[BlueIris]
accept= 1440
connect = 192.168.0.15:81
requireCert = no
Reloaded and whilst I got the message the me failed to initailise message I did get a connection from my iPhone. So stopped the stunnel and restarted failed to get a connection.
So back to
[BlueIris]
accept= 1440 <---this port is forwarded on my router
connect = 192.168.0.15:81 <--- windows home server
cert = stunnel.pem
Connection is ok
the stunnel.pem contains my cert from godaddy.
Apologies for not thinking to restart the service,
[BlueIris]
accept= 1440
connect = 192.168.0.15:81
requireCert = no
Reloaded and whilst I got the message the me failed to initailise message I did get a connection from my iPhone. So stopped the stunnel and restarted failed to get a connection.
So back to
[BlueIris]
accept= 1440 <---this port is forwarded on my router
connect = 192.168.0.15:81 <--- windows home server
cert = stunnel.pem
Connection is ok
the stunnel.pem contains my cert from godaddy.
Apologies for not thinking to restart the service,
Thanks johnmcc. I already did try stopping and restarting the service, but i got the same error. however for the line 'connect = ' i used the port number alone similar to 'accept = ' line. So i tried again putting the full ip address suffixed with colon port number hoping it would work - but no go - same error message.
I wonder the issue i have is related to the certificate, could you please throw some light on how to get the cert from godaddy and how to update it to the stunnel - i am new to this, so would appreciate detailed steps. Thanks heaps!
Here is my config file you can check against yours,
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verify = 2
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verify = 2
CAfile = ca-certs.pem
checkHost = imap.gmail.com
OCSPaia = yes
[gmail-smtp]
client = yes
accept = 25
connect = 74.125.206.108:465
cert = stunnel.pem
verify = 2
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
[ssmtp]
client = yes
accept = 465
connect = 74.125.206.108:465
cert = stunnel.pem
verify = 1
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
; Encrypted HTTP proxy authenticated with a client certificate
; located in the Windows certificate store
;[example-proxy]
;client = yes
;accept = 443
;connect = 443
;engineId = capi
; ***************************************** Example TLS server mode services
[BlueIris]
accept= 1440
connect = 192.168.0.15:81
cert = stunnel.pem
;verify = 1
;CAfile = ca-certs.pem
;OCSPaia = yes
To get a certificate you need a register domain name, I got mines from DynDns, think it costs me around around £15 per year(being in the UK). Though you can register a domain name with Godaddy and a certificate also, think it is a bit simpler to acquire a domain name and a certificate at the same supplier.
I use stunnel for BlueIris email alerts to encrypt them
Now I am no expert in this,just like yourself kept at it until I succeded
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verify = 2
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verify = 2
CAfile = ca-certs.pem
checkHost = imap.gmail.com
OCSPaia = yes
[gmail-smtp]
client = yes
accept = 25
connect = 74.125.206.108:465
cert = stunnel.pem
verify = 2
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
[ssmtp]
client = yes
accept = 465
connect = 74.125.206.108:465
cert = stunnel.pem
verify = 1
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
; Encrypted HTTP proxy authenticated with a client certificate
; located in the Windows certificate store
;[example-proxy]
;client = yes
;accept = 443
;connect = 443
;engineId = capi
; ***************************************** Example TLS server mode services
[BlueIris]
accept= 1440
connect = 192.168.0.15:81
cert = stunnel.pem
;verify = 1
;CAfile = ca-certs.pem
;OCSPaia = yes
To get a certificate you need a register domain name, I got mines from DynDns, think it costs me around around £15 per year(being in the UK). Though you can register a domain name with Godaddy and a certificate also, think it is a bit simpler to acquire a domain name and a certificate at the same supplier.
I use stunnel for BlueIris email alerts to encrypt them
Now I am no expert in this,just like yourself kept at it until I succeded
Yes the stunnel.pem is in the config directory, i did verify this while i was trying to verify if the certificate even exists.
Hi to assist, I installed stunnel on my laptop, getting errors no certificate. Edit config file from
cert = stunnel.pem
to cert = path to stunnel.pem
in my case as follows
cert = c:/stunnel/config/stunnel.pem
Stunnel started Ok
edit for info laptop running windows 10
cert = stunnel.pem
to cert = path to stunnel.pem
in my case as follows
cert = c:/stunnel/config/stunnel.pem
Stunnel started Ok
edit for info laptop running windows 10
Last edited:
Thanks once again johnmcc, I tried both
cert = C:\Program Files (x86)\stunnel\config\stunnel.pem
and
C:/Program Files (x86)/stunnel/config/stunnel.pem
and get the same error as follows,
[ ] Loading certificate from file: C:\Program Files (x86)\stunnel\config\stunnel.pem
[!] error queue: 140DC009: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file
EM lib[!] SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C
EM routinesEM_read_bio:no start line[!] Service [blue-iris]: Failed to initialize TLS context
I am running out of guesses to fix this.
I am running 64 bit win 10.
I tried putting stunnel.pem in cert = C:/Program Files (x86)/stunnelcert/stunnel.pem just to check that, spaces was causing any problems. It worked Ok.
Have you tried to create a replacement certificate?
A shortcut should have been created when you installed stunnel, called Build a self signed certificate
just a thought I am using version 5.41, which one are you using ?
If the shortcut was not created then create one
C:\stunnel\bin\openssl.exe req -new -x509 -days 365 -config "C:\stunnel\config\openssl.cnf" -out "C:\stunnel\config\stunnel.pem" -keyout "C:\stunnel\config\stunnel.pem"
path would require to modify to your location, I avoided using progam files directory to keep it simple
start in should be the location where stunnel is installed, it maybe worth uninstalling and reinstall
I am also running windows 10 64 so your install should work
Have you tried to create a replacement certificate?
A shortcut should have been created when you installed stunnel, called Build a self signed certificate
just a thought I am using version 5.41, which one are you using ?
If the shortcut was not created then create one
C:\stunnel\bin\openssl.exe req -new -x509 -days 365 -config "C:\stunnel\config\openssl.cnf" -out "C:\stunnel\config\stunnel.pem" -keyout "C:\stunnel\config\stunnel.pem"
path would require to modify to your location, I avoided using progam files directory to keep it simple
start in should be the location where stunnel is installed, it maybe worth uninstalling and reinstall
I am also running windows 10 64 so your install should work
Hi I tried making a new stunnel.pem and managed to break it... duh so uninstalled, incuding delete the directoru and reinstalled and up and running Ok, so there is something in the make new cert which is causing a problem.
So it might be worth unistall and reinstall not a a neat solution, but is gets it working
So it might be worth unistall and reinstall not a a neat solution, but is gets it working
Ok re ran make certificate with these settings
WARNING: can't open config file: /devel/win32/openssl/openssl.cnf
Generating a 2048 bit RSA private key
.....................................................................................+++
.......................................................................+++
writing new private key to 'C:\stunnel\config\stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [PL]:UK
State or Province Name (full name) [Mazovia Province]:Mystate
Locality Name (eg, city) [Warsaw]:Mytown
Organization Name (eg, company) [Stunnel Developers]:mysecurity
Organizational Unit Name (eg, section) [Provisional CA]:sec
Common Name (FQDN of your server) [localhost]:myadd.com
Certificate created and Stunnel start Ok
WARNING: can't open config file: /devel/win32/openssl/openssl.cnf
Generating a 2048 bit RSA private key
.....................................................................................+++
.......................................................................+++
writing new private key to 'C:\stunnel\config\stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [PL]:UK
State or Province Name (full name) [Mazovia Province]:Mystate
Locality Name (eg, city) [Warsaw]:Mytown
Organization Name (eg, company) [Stunnel Developers]:mysecurity
Organizational Unit Name (eg, section) [Provisional CA]:sec
Common Name (FQDN of your server) [localhost]:myadd.com
Certificate created and Stunnel start Ok
Thanks so much, i do recall this step where i just gave . to all, may it matters to enter something?
Let me try uninstalling and reinstalling, and enter some value rather than . for all.
Will test this and get back to you!
Thanks so much again johnmcc!!! Almost there!!
This was it, i set up the certificate request completely during re-installation and the stunnel is running successfully now with just the following code updated to the config!
[blue iris]
accept = 8080
connect = 8081
cert = stunnel.pem
Thanks again!
But still not completely there, Good news is I am able to connect from my Android phone App to Blue iris via https on the LAN. The not so good news is I am NOT able to connect from the App to the Blue iris via LTE mobile network - any advise?
Best regards!
Great glad to have helped.
Setting up the app, for access external to your local network
I take it you have port 8080 on your router forwarded to the pc running BlueIris?
Also the WAN address you have entered in the app should be yourexternalipaddress.co.uk:8080 the part after the ipaddress instruct the app to use port 8080
I setup a VPN connection on on my router, so my iPhone when the VPN connection is running has a local address, even when I am away from home, so in the WAN address I enter the address as a local address.
Setting up the app, for access external to your local network
I take it you have port 8080 on your router forwarded to the pc running BlueIris?
Also the WAN address you have entered in the app should be yourexternalipaddress.co.uk:8080 the part after the ipaddress instruct the app to use port 8080
I setup a VPN connection on on my router, so my iPhone when the VPN connection is running has a local address, even when I am away from home, so in the WAN address I enter the address as a local address.
Yes you are right, 8080 is port forwarded on the router to my laptop running Blue Iris. I am pretty sure i have the same above mentioned way of setup for external viewing on my router, i will double check once again and confirm as soon as i get the chance.
I don't know much about VPN other than the fact it helps with security and privacy, so not sure if i understood all of what you said, but i kinda get it i think
Once the external viewing is successful with the WAN address, i would really inclined to learn how to setup VPN on the router and use it for more security - i believe this doesn't cost money additionally for any service?
Thanks and regards
vpn there are two types that are sometime confused a paid vpn service, is where your identity is hidden can't be tracked. when you surf the web
VPN server on your router or server, your mobile makes a secure connection to your network, which assigns a local address. This what I use, my router has a VPN service built in. I take you have a fixed IP address or DynDns account to update your IP address to a web address. On the LTE this i believe is slower than 4g, so it may just be slow,
I have a Draytek router, it took me a bit of reading and trial error to get it up and running
VPN server on your router or server, your mobile makes a secure connection to your network, which assigns a local address. This what I use, my router has a VPN service built in. I take you have a fixed IP address or DynDns account to update your IP address to a web address. On the LTE this i believe is slower than 4g, so it may just be slow,
I have a Draytek router, it took me a bit of reading and trial error to get it up and running