Hi Honza, On 18.03.2011, at 14:01, Honza Mach wrote:
Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed; subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE', error='self signed certificate in certificate chain', depth='3'
this is your problem. It's a bit difficult to judge from far, but did you properly install the CA certificate the server uses on the client? If so, did you create the hash and a symbolic link from your CAdir to the CA certificate? In my test installation, the general setup for the CA certificate is as follows: destination d_remote { tcp( "server" port( 601 ) tls( key_file("/opt/syslog-ng/etc/ssl/client_key.pem") cert_file("/opt/syslog-ng/etc/ssl/client_crt.pem") ca_dir( "/opt/syslog-ng/etc/ssl" ) ) ); }; You may ignore key_file and cert_file if the server is not expecting the client to provide a certificate. The relevant part is ca_dir. Here are the CA certificate and a link to it which is named after the CA certificate's hash with a trailing '.0': [root@client etc]# ls -la /opt/syslog-ng/etc/ssl total 24 drwxr-xr-x 2 root root 4096 Mar 9 01:10 . drwxr-xr-x 4 root root 4096 Mar 9 01:15 .. lrwxrwxrwx 1 root root 10 Mar 9 01:10 39118da4.0 -> ca_crt.pem -rw-r--r-- 1 root root 2049 Mar 9 01:05 ca_crt.pem -rw-r--r-- 1 root root 4409 Mar 9 01:05 client_crt.pem -r-------- 1 root root 1679 Mar 9 01:05 client_key.pem You get the hash using openssl: [root@client etc]# openssl x509 -noout -hash -in /opt/syslog-ng/etc/ssl/ca_crt.pem 39118da4 I am using this setup with 3.2.2 and 3.1.4 on several dozen machines without any problems. Without the hash link, I get exactly the same error you are seeing: Mar 18 20:05:07 client syslog-ng[12819]: Certificate validation failed; subject='Root CA', issuer='Root CA', error='self signed certificate in certificate chain', depth='1' Best regards, Peter.