Multiple SSL certs with Stunnel
I have purchased two PositiveSSL certs (seperately), one for manager.domain.com and another for domain.com. Originally I only needed manager.domain.com using SSL, but than I needed to use SSL on domain.com. Everything works fine with the one SSL cert for domain.manager.com, but when I add in the 2nd certificate data to the .pem file, domain.com tries to verify using domain.com's cert, and it doesnt work. How can I have two ssl certs using the same instanse of stunnel? I amusing nginx, and varnish also if that is useful.
Here is the stunnel config file, and format of my pem file. Note - this will work fine for domain.manager.com (which is the first cert).
cert = /etc/ssl/all.pem
debug = 5
output = /var/log/stunnel4/stunnel.log
[https]
accept = 443
connect = 80
And the format for the all.pem. The first cert is for manager.domain.com (which works), and second is for domain.com, which does not work. (The private key was generated with manager.domain.com):
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkahkiG9w0BAQEFAASCBKkwggSl444AAoIBAQDz/pbylQ5Ci6ji
END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFCjCCA/gdfwIBAgIRAL9QPhnM0h2smePkZ8ToSBMwDdfgKoZIhvcNAQEFBQAw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFCjCCA/gdfwIBAgIRAL9QPhnM0h2smePkZ8ToSBMwDdfgKoZIhvcNAQEFBQAw
-----END CERTIFICATE-----
I have also tried separating the certs and putting them into a CApath
CApath = /etc/stunnel/certs/
debug = 5
output = /var/log/stunnel4/stunnel.log
[https]
accept = 443
connect = 80
I use the commands
openssl x509 -hash -noout -in domain.pem
openssl x509 -hash -noout -in manager.domain.pem
to create the files to put in the dir /etc/stunnel/certs/. But stunnel gives the following error when trying to restart:
Restarting SSL tunnels: No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.42 on i686-pc-linux-gnu platform
Compiled with OpenSSL 1.0.0e 6 Sep 2011
Running with OpenSSL 1.0.1 14 Mar 2012
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Reading configuration from file /etc/stunnel/https.conf
PRNG seeded successfully
Line 8: End of section https: SSL server needs a certificate
str_stats: 53 block(s), 3974 byte(s)
[Failed: /etc/stunnel/https.conf]
You should check that you have specified the pid= in you configuration file
The files given to me for manager.domain.com are
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - PositiveSSLCA2.crt
Your PositiveSSL Certificate - manager_domain_com.crt
and the same for domain.com.
Can someone please help me on this?
Solution 1:
You need to use TLS SNI to be able to present two different certificates on the same listening port. Be aware that some clients, notably most browsers running under Windows XP, do not support SNI.
See the sni
option in the documentation. Split your certificates into different files (the same private key is used for both public certificates):
[https]
cert = /etc/ssl/domain.com.pem
accept = 443
connect = 80
[domain]
sni = https:domain.com
sni = https:www.domain.com
cert = /etc/ssl/domain.com.pem
connect = 80
[manager]
sni = https:manager.domain.com
cert = /etc/ssl/manager.domain.com.pem
connect = 80