On Thu, 2011-05-26 at 22:25 +0530, Pramod Pillai wrote:
Hi Bazsi
We are still unable to resolve the issue . I see this error. CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
I am attaching the config file and the certificates which might be helpful to debug the issue.
The question is what the directory ca_dir("/certificates/ca.d") contains. It should be populated with symlinks pointing to the X.509 certificates. The symlink name must be the hash of the X.509 subject name, to be produced by openssl x509 -hash -in xxxx There's also an openssl utility to perform this symlink stuff, named c_rehash. Here's a manual page for that: http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash I'm quite certain that TLS and X.509 key validation works well, and the error message really seems to indicate a local setup problem.
Regards Pramod
On Sun, May 22, 2011 at 4:44 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2011-05-04 at 18:11 +0530, Pramod Pillai wrote:
Hi
I have not yet resolved the issue -:( Few questions This is the error from the client side error='self signed certificate in certificate chain', depth='2'
Our certificates are not self signed . But why is it showing as self signed in the log.
everything is self-signed at the end. an official CA is a self-signed certificate, they just happen to be trusted for one reason or another.
this probably means that the CA certificate is not trusted by syslog-ng, probably because syslog-ng has to be told which CA you trust.
There's a chapter in the documentation on how to set that up, here:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Is syslog-ng internally configured as self-signed certificate. If Yes where is it stored. Or how to modify it.
Is it possible to configure the depth ?
IIRC no, there's currently no way to configure that, syslog-ng will just accept any certificate depth.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi