Hi, I do the following: Following the link from Balabit i have done the server site without errors. Then i do this on the client site 1. *mkdir certs crl newcerts private* *echo "01" > serial* *cp /dev/null index.txt* Than i copy the*"cacert.pem" *to the client machine and try the next step *"*Creating a client certificate" using the following command openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem ** And on the last line i have the errors openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Error opening CA certificate ./cacert.pem 140030533961632:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./cacert.pem','r') 140030533961632:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate So i try copy the serverkey.pem and servercert.pem but similar errors Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Error opening CA certificate ./cacert.pem 140578607339424:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./cacert.pem','r') 140578607339424:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: unable to load CA private key 140231163467680:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604: 140231163467680:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104: 140231163467680:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: 140231163467680:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: So i'm not sure what im missing Thanks ! On 01/15/2016 05:15 PM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 15:06-kor:
Can someone give me the right way to do this as i following this tuttorial and still have errors: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... This guide seems pretty good. What errors do you have? This guide assumes, you have a "pki" machine. One machine, where you generates all the certificates, keys, and do any pki-related thing. As it is usual. Then it is consequent with the filenames, so when it shows the server side's config, and you see a "cacert.pem", it comes from this pki environment. The same cacert.pem should be applied to the client side.
Step #1: Does your server start? Step #2: Does your client starts?
If it is only a test system, and the keys are not "real secret" yet, and still have problems, I suggest to use the contrib/syslog-debun to collect the config and other environment related things from your client and server side, and send those to me. I do not know, if .tar.gz attachments are allowed on the mailing list. But I would gladly check them.
If the server is able to start, then please run the debug bundle collector with these parameters: contrib/syslog-debun -d It will stop the syslog-ng as a system service, and start in foregrund debug mode, until you press enter. Then it will stop the debug mode service, and start again the "system service".
Until the server runs in debug mode, please try the same on the client side. The most important part of the whole debugging, that I would like to see the syslog-ng's debug messages and see what happens from the syslog-ng's point of view.
Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq