I am trying to get mutual authentication working between a syslog-ng server and an Rsyslog client, using startssl.com issued certificates. The client does properly authenticate the server, but syslog-ng does not recognize the client as trusted. Server info: ------------ # cat /etc/redhat-release CentOS release 6.6 (Final) # /usr/local/syslog-ng/sbin/syslog-ng --version syslog-ng 3.2.4 Installer-Version: 3.2.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6 Compile-Date: Aug 18 2013 22:16:35 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: on Enable-Pacct: off source s_network_secure { tcp(flags(no-multi-line) ip(0.0.0.0) port(6514) tls( key-file("/usr/local/syslog-ng/etc/cert.d/cert.key") cert-file("/usr/local/syslog-ng/etc/cert.d/cert.pem") ca_dir("/usr/local/syslog-ng/etc/cert.d") peer_verify(required-untrusted)) ); }; And of course this is defined in a log statement. Here is the directory. Note that the symbolic link of the hash has been created. # ll /usr/local/syslog-ng/etc/cert.d/ total 204 lrwxrwxrwx. 1 root root 13 Mar 3 13:51 876f1e28.0 -> ca-bundle.pem -rw-r--r--. 1 root root 195587 Mar 3 13:08 ca-bundle.pem -r--------. 1 root root 1679 Feb 28 11:21 cert.key -r--------. 1 root root 2260 Feb 28 11:50 cert.pem -rw-r--r--. 1 root root 2281 Mar 3 13:58 client.key required-untrusted works, but required-trusted doesn't. So I figured maybe it was an SSL issue with the authority, but it seems to validate OK. # openssl verify -CAfile 876f1e28.0 -verbose client.key client.key: OK Client info: ------------ # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" # rsyslogd -v rsyslogd 7.4.4, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes See http://www.rsyslog.com for more information. I suppose there's no additional client info needed since I know it is presenting the certificate--the issue seems to be that the syslog-ng server simply doesn't trust it. All suggestions appreciated.