0

I have a client application. The server application gave me a PEM file, and require me to connect using SSL. I use stunnel and specified the certification file to be the PEM file, and set client=yes. When I run stunnel I see the following error at startup:

[!] error queue:  : error:  :SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
[!] SSL_CTX_use_PrivateKey_file: : error: :PEM routines:PEM_read_bio:no start line

The PEM file looks ok, it has -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. I use

openssl x509 -inform PERM -in filename.pem -text

to view the content and it looks ok.

Any idea what could go wrong?

szli
  • 36,893
  • 11
  • 32
  • 40

3 Answers3

3

I guess you want to use the given certificate to verify the connection and thus you need to specify it as CAfile. What you probably did instead was to specify it as a client certificate which gets send to the server to authenticate the client. But this is just a guess, because you did not provide the configuration in your question.

If you really want to use client authentication then you also have to provide the private key matching the certificate. If you don't specify a key it will look for it in the cert file, and in your case it did not find it there.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • This is exact solution! I am still a bit confused, what does this certificate, specified as CAfile, used for? – szli Oct 22 '14 at 15:35
  • SSL needs to have trusted certificates to verify the peer. If no verification would be done then the connection would still be encrypted, but you might encrypt it with the wrong peer due to an man-in-the-middle attack. – Steffen Ullrich Oct 22 '14 at 15:40
  • So this is to verify the server I am connecting to is really the server I want to connect, correct? I thought such a certificate is sent by the server to client when client connects to the server, like when the browser connects to a web server, isn't it? – szli Oct 22 '14 at 15:49
  • The server sends the certificate and the client has to verify, that this certificate is the expected one. To do this it needs to know the certificate itself or it needs to trust the issuer of the certificate (the trusted CA). – Steffen Ullrich Oct 22 '14 at 16:17
0

I had the same issue. It didn't understand that the certificates in the same directory as the configuration file. So, I had to write the full path for the certificates. 

cert = /etc/stunnel/xxxxxxxxxx.crt
key = /etc/stunnel/xxxxxxxxxxx.key
Robert
  • 5,278
  • 43
  • 65
  • 115
Besha
  • 1
  • 2
0

As is mentioned above by Besha, writing out the full address for cert and key files in the stunnel.conf solved my problem. I had a similar issue: Stunnel would work ok when started manually but would fail to start at boot time with an identical error as to the one mentioned here. Both cert and key file were located at the same directory as the conf file but stunnel would still fail to start at boot up.

Farshad
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 16 '22 at 14:55