That is the hash. 'openssl x509 -hash -noout -in <certfile>' will tell you what the number should be for a given certificate. just symlink it as <number>.0 or when there is already a .0-suffixed link (hash collisions could occur) then as just increase the suffix to .1 and so on... This hash is used for looking up the certificate of the issuer without reading all files. On Mon, May 2, 2011 at 4:43 PM, Pramod Pillai <pramodpillaip@gmail.com> wrote:
Hi These are the config details. I ran truss on server and found that it was looking for some file /data/conf/certifi/<some number>.0 . I didn't understand much
Server configurataion source s_LTEMGR_SYSLOG_CLIENTS{ tcp(ip(10.232.165.128) port(6954)
tls(key_file("/data/conf/certifi/serverprivkey.pem") cert_file("/data/conf/certifi/servercert.pem") ca_dir("/data/conf/certifi") peer_verify(required-trusted) ) ); };
Client Configuration destination d_SYSLOGNG_SERVER { tcp( "10.232.165.128" port() tls(key_file("/data/conf/certifi/clikey.pem") cert_file("/data/conf/certifi/client.pem") ca_dir("/data/conf/certifi/") peer_verify(required-trusted) ) ); };
On Thu, Apr 28, 2011 at 8:42 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Pramod Pillai <pramodpillaip@gmail.com> writes:
I am getting following error while trying to configure TSL in syslogng
Error On Client Certificate validation failed; subject='C=IN, ST=KAR, O=orola, CN=12.168.50.192, emailAddress=a@d.com', issuer='C=Generic, ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I/O error occurred while writing; fd='4', error='Broken pipe (32)' Syslog connection broken; fd='4', server='AF_INET(10.232.165.128:5695)', time_reopen='60'
Error on Server SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
The problem seems to be - as the log message says -, that syslog-ng find the Certificate Authority to verify the server's certificate.
You probably need to copy the CA cert and set the client up appropriately.
If you can show a config excerpt, I might be able to help a little more, but the documentation should be enough to set things up properly.
The relevant part of the documentation is available at the following URL:
http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-v3.2-guide...
-- |8] ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html