There is a bug in stunnel4 on Ubuntu 18.04 that lets attackers crash stunnel4. Because of this and the fact that the bug is still not fixed I’ll show you on how to install stunnel5 and use it with Let’s Encrypt. For the tutorial I’ll assume that you have already some sort of webserver running on port 80.
Update and upgrade the packet list:
apt-get update
apt-get -y upgrade
Install and start certbot:
apt-get install certbot
certbot certonly
Certbot will then ask on how you like to authenticate with the ACME CA. I have choosen the temporary standalone webserver option but you can choose whatever you want and/or works for you. In the further process they will then ask you for an email address and a domain. If the process was successful a “Congratulations!” message appears along with the paths to a certificate and a key. We’ll need these later.
Build and install stunnel:
apt-get install gcc g++ build-essential libreadline-dev zlib1g-dev linux-headers-generic libssl-dev libssl1.0-dev
wget https://www.stunnel.org/downloads/stunnel-5.58.tar.gz
tar xzf stunnel-5.58.tar.gz
cd stunnel-5.58
./configure
make
make install
Edit the file stunnel.conf:
vi /usr/local/etc/stunnel/stunnel.conf
The following example connects a port 80 webserver to port 443:
; It is recommended to drop root privileges if stunnel is started by root
setuid = stunnel
setgid = stunnel
; PID file is created inside the chroot jail (if enabled)
chroot = /var/lib/stunnel
pid = /stunnel.pid
; TLS front-end to a web server
; Use the cert and key from certbot
[https]
accept = 443
connect = 80
cert = /etc/letsencrypt/live/domain.tld/fullchain.pem
key=/etc/letsencrypt/live/domain.tld/privkey.pem
And at the end:
useradd -s /bin/false -r stunnel
mkdir /var/lib/stunnel
chown stunnel:stunnel /var/lib/stunnel
cp /usr/local/share/doc/stunnel/examples/stunnel.init /etc/init.d/stunnel5
chmod 755 /etc/init.d/stunnel5
cp /usr/local/share/doc/stunnel/examples/stunnel.service /etc/systemd/system/stunnel5.service
systemctl start stunnel5
systemctl enable stunnel5
Your webserver should now be available via https on port 443.