Stunnel error: no start line

Question

I have a client application. The server application gave me a PEM file, and require me to connect using SSL. I use stunnel and specified the certification file to be the PEM file, and set client=yes. When I run stunnel I see the following error at startup:

[!] error queue:  : error:  :SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
[!] SSL_CTX_use_PrivateKey_file: : error: :PEM routines:PEM_read_bio:no start line

The PEM file looks ok, it has -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. I use

openssl x509 -inform PERM -in filename.pem -text 

to view the content and it looks ok.

Any idea what could go wrong?

Answer 1

As is mentioned above by Besha, writing out the full address for cert and key files in the stunnel.conf solved my problem. I had a similar issue: Stunnel would work ok when started manually but would fail to start at boot time with an identical error as to the one mentioned here. Both cert and key file were located at the same directory as the conf file but stunnel would still fail to start at boot up.

Answer 2

I had the same issue. It didn't understand that the certificates in the same directory as the configuration file. So, I had to write the full path for the certificates.

cert = /etc/stunnel/xxxxxxxxxx.crt
key = /etc/stunnel/xxxxxxxxxxx.key

Answer 3

I guess you want to use the given certificate to verify the connection and thus you need to specify it as CAfile. What you probably did instead was to specify it as a client certificate which gets send to the server to authenticate the client. But this is just a guess, because you did not provide the configuration in your question.

If you really want to use client authentication then you also have to provide the private key matching the certificate. If you don't specify a key it will look for it in the cert file, and in your case it did not find it there.