Hello, Strange behaviour. But this is due to permission issue. Fix the permission of the certs and it should work. -- kokan ________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Steven La <steven.la@datastax.com> Sent: 17 March 2021 21:05 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Docker syslog-ng TLS issue CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. I created a CA cert following the instructions here: https://support.oneidentity.com/fr-fr/technical-documents/syslog-ng-open-source-edition/3.22/mutual-authentication-using-tls<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.oneidentity.com%2Ffr-fr%2Ftechnical-documents%2Fsyslog-ng-open-source-edition%2F3.22%2Fmutual-authentication-using-tls&data=04%7C01%7Cpeter.kokai%40oneidentity.com%7C45e47ddcea3c4a02cafa08d8e9800e5d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637516083526340795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9aMTUEqPJJCzb8pYuXcy9ILAFAEs4Re5lB9iPKXWguM%3D&reserved=0> And the serverkey.pem is not encrypted, but syslog-ng is asking for a password when it starts up for the serverkey.pem. Any help would be appreciate Head of the server.key -----BEGIN PRIVATE KEY----- MIIEvAI.... syslog error: [2021-03-17T19:56:03.552322] Error setting up TLS session context; tls_error='system library:fopen:Permission denied', location='/etc/syslog-ng/syslog-ng.conf:21:2' [2021-03-17T19:56:03.552355] Error setting up TLS context; keyfile='/etc/ssl/certs/cert.d/serverkey.pem' [2021-03-17T19:56:03.552407] Waiting for password; keyfile='/etc/ssl/certs/cert.d/serverkey.pem' syslog-ng config: @version: 3.29 @include "scl.conf" source s_local { internal(); }; source s_network { default-network-drivers( # NOTE: TLS support # # the default-network-drivers() source driver opens the TLS # enabled ports as well, however without an actual key/cert # pair they will not operate and syslog-ng would display a # warning at startup. # tls(key-file("/etc/ssl/certs/cert.d/serverkey.pem") cert-file("/etc/ssl/certs/cert.d/servercert.pem") ca_dir("/etc/ssl/certs/ca.d")) peer_verify(optional-untrusted) ); }; destination d_local { file("/var/log/messages"); file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3)); }; log { source(s_local); source(s_network); destination(d_local); }; docker run command: sudo docker run -d --privileged -it -v "/data/syslog-ng/config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf" -v "/data/syslog-ng/logs:/var/log" -v "/data/syslog-ng/certs:/etc/ssl/certs" -p 514:514/udp -p 601:601 -p 6514:6514 --name syslog-ng2 balabit/syslog-ng:latest -edv Thanks, Steven -- Steven La 408-503-0289 steven.la@datastax.com<mailto:Steven.La@datastax.com> | datastax.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdatastax.com%2F&data=04%7C01%7Cpeter.kokai%40oneidentity.com%7C45e47ddcea3c4a02cafa08d8e9800e5d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637516083526350793%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7ehIPJytFEFpe1iA%2F9XfVIX8VcmRBagO2BC16LHMsH4%3D&reserved=0>