Stunnel with SNI: Section *name*: SNI section name not found

Question

Im trying to use stunnel with 2 domains on the same IP.

My conf is this:

;key = /etc/ssl/private/namecheap/server.key

# See this link http://www.sysadminworld.com/2011/how-do-i-use-an-intermediate-certificate-with-stunnel/
# The intermediatev.pem is comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
# Restart /etc/init.d/stunnel4 restart 

cert = /etc/ssl/private/namecheap/stunnel.pem

;CApath = /etc/ssl/private/namecheap/www_soinfit_com.ca-bundle

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel4/stunnel.log

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; no, we don't want SSLv2
;options = NO_SSLv2

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

[paleo-dating]
sni = https:www.paleo-dating.com
cert = /etc/ssl/private/namecheap/stunnel-dating.pem
accept = 5555
connect = localhost:5556


[shoptprod]
accept = 6676
connect = localhost:6060

[shoptest]
accept = 7676
connect = localhost:7070

[chatprod]
accept = 8686
connect = localhost:8080

[chattest]
accept = 9676
connect = localhost:9090

[groupchattest]
accept = 5656
connect = localhost:5050

[groupchatprd]
accept = 4646
connect = localhost:4040

When I run /etc/init.d/stunnel4 restart

I get this error:

Restarting SSL tunnels: Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running  with OpenSSL 1.0.1t  3 May 2016
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from file /etc/stunnel/stunnel.conf
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service section [paleo-dating]
Section paleo-dating: SNI section name not found
str_stats: 39 block(s), 7369 data byte(s), 2262 control byte(s)
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file

Answer 1

I hope you've solved your four years old problem. However, I came here with the same question and this is the answer:

Stunnel tries to match the SNI key's first part to a named section. If there is no such section in the configuration it will fail with the given error.

Looking at the configuration above, the line sni = https:www.paleo-dating.com refers to a missing [https] block. You can name it whatever you like as long as both strings are equal. Furthermore, the accept key belongs there:

[paleo-dating]
sni = https:www.paleo-dating.com
cert = /etc/ssl/private/namecheap/stunnel-dating.pem
; accept = 5555 <-- This goes below
connect = localhost:5556

[https]
accept = 5555

; Fallback
connect = fallback:1234
cert = fallback-cert.pem

This will accept secure connections on port 5555 and forward them to localhost:5556 if (and only if) the client used the Server Name Indication extension with a value of www.paleo-dating.com. Otherwise the fallback-cert.pem certificate gets presented to the client and the connection is forwarded to port 1234 on host fallback.