Hello,

A packet capture would confirm but this TLS error has to come from the wire so the clients are rejecting the server's certificate. Have you distributed the new CAcert to the connecting clients, and is it properly set up, when using a directory then the hash symlink is present there as well?

You could simulate your setup with openssl's s_client and s_server.

Regards,

Sandor

On 2024. 09. 12. 18:10, Evan Rempel wrote:

I have a syslog server running syslog-ng-4.6.0 (from the copr repo).

I am not seeing any TLS issues in the logs using the existing ca.d certificate and the current server tls certificate.

The current tls certificate will expire soon, and the CA used to sign the server certificate can no longer be used.

I have created a new server certificate, signed with a new Root CA. This new Root CA has been successfully added to the ca.d folder and is running without error with the current server certificate.

When I replace the server certificate with the new one and restart syslog-ng, I start getting a lot of errors in the logs.

SSL error while reading stream; tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca'

The new server certificate validates

$openssl verify tls/server.crt

tls/server.crt: OK

The CA used to sign the certificate is in the ca.d folder with the correct hash.

I have to assume that the error is actually revering to the server certificate, but it could be referring to a client certificate. The error goes away when I switch the server certificate back.

The only things that changes for this error is using the new server certificate.

How do I track this down?

Are there any other suggestions on what might have gone wrong?

--

Evan
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq