How to setup stunnel5 with Let’s Encrypt on Ubuntu 18.04

There is a bug in stunnel4 on Ubuntu 18.04 that lets attackers crash stunnel4. Because of this and the fact that the bug is still not fixed I’ll show you on how to install stunnel5 and use it with Let’s Encrypt. For the tutorial I’ll assume that you have already some sort of webserver running on port 80.

Update and upgrade the packet list:

apt-get update
apt-get -y upgrade

Install and start certbot:

apt-get install certbot
certbot certonly

Certbot will then ask on how you like to authenticate with the ACME CA. I have choosen the temporary standalone webserver option but you can choose whatever you want and/or works for you. In the further process they will then ask you for an email address and a domain. If the process was successful a “Congratulations!” message appears along with the paths to a certificate and a key. We’ll need these later.

Build and install stunnel:

apt-get install gcc g++ build-essential libreadline-dev zlib1g-dev linux-headers-generic libssl-dev libssl1.0-dev
tar xzf stunnel-5.58.tar.gz
cd stunnel-5.58
make install

Edit the file stunnel.conf:

vi /usr/local/etc/stunnel/stunnel.conf

The following example connects a port 80 webserver to port 443:

; It is recommended to drop root privileges if stunnel is started by root
setuid = stunnel
setgid = stunnel

; PID file is created inside the chroot jail (if enabled)
chroot = /var/lib/stunnel
pid = /

; TLS front-end to a web server
; Use the cert and key from certbot
accept  = 443
connect = 80
cert = /etc/letsencrypt/live/domain.tld/fullchain.pem

And at the end:

useradd -s /bin/false -r stunnel
mkdir /var/lib/stunnel
chown stunnel:stunnel /var/lib/stunnel
cp /usr/local/share/doc/stunnel/examples/stunnel.init /etc/init.d/stunnel5
chmod 755 /etc/init.d/stunnel5
cp /usr/local/share/doc/stunnel/examples/stunnel.service /etc/systemd/system/stunnel5.service
systemctl start stunnel5
systemctl enable stunnel5

Your webserver should now be available via https on port 443.

Leave a Reply

Your email address will not be published. Required fields are marked *