5

I have purchased two PositiveSSL certs (seperately), one for manager.domain.com and another for domain.com. Originally I only needed manager.domain.com using SSL, but than I needed to use SSL on domain.com. Everything works fine with the one SSL cert for domain.manager.com, but when I add in the 2nd certificate data to the .pem file, domain.com tries to verify using domain.com's cert, and it doesnt work. How can I have two ssl certs using the same instanse of stunnel? I amusing nginx, and varnish also if that is useful.

Here is the stunnel config file, and format of my pem file. Note - this will work fine for domain.manager.com (which is the first cert).

cert = /etc/ssl/all.pem
debug = 5
output = /var/log/stunnel4/stunnel.log

[https]
accept  = 443
connect = 80

And the format for the all.pem. The first cert is for manager.domain.com (which works), and second is for domain.com, which does not work. (The private key was generated with manager.domain.com):

-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkahkiG9w0BAQEFAASCBKkwggSl444AAoIBAQDz/pbylQ5Ci6ji
END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFCjCCA/gdfwIBAgIRAL9QPhnM0h2smePkZ8ToSBMwDdfgKoZIhvcNAQEFBQAw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFCjCCA/gdfwIBAgIRAL9QPhnM0h2smePkZ8ToSBMwDdfgKoZIhvcNAQEFBQAw
-----END CERTIFICATE-----

I have also tried separating the certs and putting them into a CApath

CApath = /etc/stunnel/certs/
debug = 5
output = /var/log/stunnel4/stunnel.log

[https]
accept  = 443
connect = 80

I use the commands

openssl x509 -hash -noout -in domain.pem
openssl x509 -hash -noout -in manager.domain.pem

to create the files to put in the dir /etc/stunnel/certs/. But stunnel gives the following error when trying to restart:

Restarting SSL tunnels: No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.42 on i686-pc-linux-gnu platform
Compiled with OpenSSL 1.0.0e 6 Sep 2011
Running  with OpenSSL 1.0.1 14 Mar 2012
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Reading configuration from file /etc/stunnel/https.conf
PRNG seeded successfully
Line 8: End of section https: SSL server needs a certificate
str_stats: 53 block(s), 3974 byte(s)
[Failed: /etc/stunnel/https.conf]
You should check that you have specified the pid= in you configuration file

The files given to me for manager.domain.com are

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - PositiveSSLCA2.crt
Your PositiveSSL Certificate - manager_domain_com.crt

and the same for domain.com.

Can someone please help me on this?

Errol Fitzgerald
  • 475
  • 1
  • 7
  • 17

1 Answers1

5

You need to use TLS SNI to be able to present two different certificates on the same listening port. Be aware that some clients, notably most browsers running under Windows XP, do not support SNI.

See the sni option in the documentation. Split your certificates into different files (the same private key is used for both public certificates):

[https]
cert = /etc/ssl/domain.com.pem
accept  = 443
connect = 80

[domain]
sni = https:domain.com
sni = https:www.domain.com
cert = /etc/ssl/domain.com.pem
connect = 80

[manager]
sni = https:manager.domain.com
cert = /etc/ssl/manager.domain.com.pem
connect = 80
Shane Madden
  • 112,982
  • 12
  • 174
  • 248