error='self signed certificate in certificate chain'
Hi All, I am getting following error while starting syslog-ng with tls option. Could you please help me on this Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0)' Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1' Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed' Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)' Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60' //server conf source d_source { #syslog(ip("mysyslog.server.com") port(6514) syslog(ip("10.135.83.103") port(6514) transport("tls") tls( key_file("/etc/cert.d/mySerPrivate.key") cert_file("/etc/cert.d/mySerCert.pem") ca_dir("/etc/ca.d") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; //Client conf destination d_destination { #syslog("mysyslog.server.com" port(6514) syslog("10.135.83.103" port(6514) transport("tls") tls( ca_dir("/etc/ca.d") key_file("/etc/cert.d/myCliPrivate.key") cert_file("/etc/cert.d/myCliCert.pem") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; Regard, Girish
Hi, try setting the peer-verify option to required-untrusted ( https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... ) HTH, Robert On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Hi All,
I am getting following error while starting syslog-ng with tls option. Could you please help me on this
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0 <http://0.0.0.0:0>)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'*
//server conf
source d_source {
#syslog(ip("mysyslog.server.com") port(6514)
syslog(ip("10.135.83.103") port(6514)
transport("tls")
tls( key_file("/etc/cert.d/mySerPrivate.key")
cert_file("/etc/cert.d/mySerCert.pem")
ca_dir("/etc/ca.d")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
//Client conf
destination d_destination {
#syslog("mysyslog.server.com" port(6514)
syslog("10.135.83.103" port(6514)
transport("tls")
tls( ca_dir("/etc/ca.d")
key_file("/etc/cert.d/myCliPrivate.key")
cert_file("/etc/cert.d/myCliCert.pem")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
Regard,
Girish
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks Robert. With required-untrusted, I am able to communicate with syslog-ng server with TLS encryption. I want to establish mutual authentication and need required-trusted option Could you please let me know how to solve the following certificate issue with required-trusted option Regards, Girish From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fekete, Róbert Sent: Friday, March 11, 2016 7:05 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] error='self signed certificate in certificate chain' Hi, try setting the peer-verify option to required-untrusted (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...) HTH, Robert On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <girish.kumar@al-enterprise.com<mailto:girish.kumar@al-enterprise.com>> wrote: Hi All, I am getting following error while starting syslog-ng with tls option. Could you please help me on this Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0<http://0.0.0.0:0>)' Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com<mailto:giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com<mailto:giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1' Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed' Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)' Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60' //server conf source d_source { #syslog(ip("mysyslog.server.com<http://mysyslog.server.com>") port(6514) syslog(ip("10.135.83.103") port(6514) transport("tls") tls( key_file("/etc/cert.d/mySerPrivate.key") cert_file("/etc/cert.d/mySerCert.pem") ca_dir("/etc/ca.d") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; //Client conf destination d_destination { #syslog("mysyslog.server.com<http://mysyslog.server.com>" port(6514) syslog("10.135.83.103" port(6514) transport("tls") tls( ca_dir("/etc/ca.d") key_file("/etc/cert.d/myCliPrivate.key") cert_file("/etc/cert.d/myCliCert.pem") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; Regard, Girish ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, Try this tutorial, IIRC it uses self-signed CA cert: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tuto... Regards, Robert On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Thanks Robert.
With required-untrusted, I am able to communicate with syslog-ng server with TLS encryption.
I want to establish mutual authentication and need *required-trusted* option
Could you please let me know how to solve the following certificate issue with required-trusted option
Regards,
Girish
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Fekete, Róbert *Sent:* Friday, March 11, 2016 7:05 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] error='self signed certificate in certificate chain'
Hi,
try setting the peer-verify option to required-untrusted ( https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... )
HTH,
Robert
On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Hi All,
I am getting following error while starting syslog-ng with tls option. Could you please help me on this
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0 <http://0.0.0.0:0>)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'*
//server conf
source d_source {
#syslog(ip("mysyslog.server.com") port(6514)
syslog(ip("10.135.83.103") port(6514)
transport("tls")
tls( key_file("/etc/cert.d/mySerPrivate.key")
cert_file("/etc/cert.d/mySerCert.pem")
ca_dir("/etc/ca.d")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
//Client conf
destination d_destination {
#syslog("mysyslog.server.com" port(6514)
syslog("10.135.83.103" port(6514)
transport("tls")
tls( ca_dir("/etc/ca.d")
key_file("/etc/cert.d/myCliPrivate.key")
cert_file("/etc/cert.d/myCliCert.pem")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
Regard,
Girish
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thank a lot Robert. Document is very good. I all followed all the steps except certificate creating steps since it was giving some error. Finally I was able to establish TLS communication with “required trusted” I am sharing the steps used for creating certificates mkdir CERT cd CERT mkdir CA client server cd CA openssl genrsa -out caPrivate.key 4096 openssl req -new -x509 -days 1826 -key caPrivate.key -out caCert.pem cd server openssl genrsa -out mySerPrivate.key 2048 openssl req -new -key mySerPrivate.key -out mySerReq.csr openssl x509 -req -days 365 -in mySerReq.csr -CA ../CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 10 -out mySerCert.pem cd client openssl genrsa -out myCliPrivate.key 2048 openssl req -new -key myCliPrivate.key -out myCliReq.csr openssl x509 -req -days 365 -in myCliReq.csr -CA . ./CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 20 -out myCliCert.pem Regards, Girish From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fekete, Róbert Sent: Wednesday, March 16, 2016 2:00 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] error='self signed certificate in certificate chain' Hi, Try this tutorial, IIRC it uses self-signed CA cert: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tuto... Regards, Robert On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar <girish.kumar@al-enterprise.com<mailto:girish.kumar@al-enterprise.com>> wrote: Thanks Robert. With required-untrusted, I am able to communicate with syslog-ng server with TLS encryption. I want to establish mutual authentication and need required-trusted option Could you please let me know how to solve the following certificate issue with required-trusted option Regards, Girish From: syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu> [mailto:syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>] On Behalf Of Fekete, Róbert Sent: Friday, March 11, 2016 7:05 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] error='self signed certificate in certificate chain' Hi, try setting the peer-verify option to required-untrusted (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...) HTH, Robert On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <girish.kumar@al-enterprise.com<mailto:girish.kumar@al-enterprise.com>> wrote: Hi All, I am getting following error while starting syslog-ng with tls option. Could you please help me on this Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0<http://0.0.0.0:0>)' Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com<mailto:giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com<mailto:giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1' Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed' Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)' Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60' //server conf source d_source { #syslog(ip("mysyslog.server.com<http://mysyslog.server.com>") port(6514) syslog(ip("10.135.83.103") port(6514) transport("tls") tls( key_file("/etc/cert.d/mySerPrivate.key") cert_file("/etc/cert.d/mySerCert.pem") ca_dir("/etc/ca.d") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; //Client conf destination d_destination { #syslog("mysyslog.server.com<http://mysyslog.server.com>" port(6514) syslog("10.135.83.103" port(6514) transport("tls") tls( ca_dir("/etc/ca.d") key_file("/etc/cert.d/myCliPrivate.key") cert_file("/etc/cert.d/myCliCert.pem") ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11) ) ); }; Regard, Girish ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, Thank you very much for sharing your solution, I'll check if the docs need some update. Regards, Robert On Thu, Mar 17, 2016 at 5:51 AM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Thank a lot Robert. Document is very good.
I all followed all the steps except certificate creating steps since it was giving some error. Finally I was able to establish TLS communication with “required trusted”
I am sharing the steps used for creating certificates
mkdir CERT
cd CERT
mkdir CA client server
cd CA
openssl genrsa -out caPrivate.key 4096
openssl req -new -x509 -days 1826 -key caPrivate.key -out caCert.pem
cd server
openssl genrsa -out mySerPrivate.key 2048
openssl req -new -key mySerPrivate.key -out mySerReq.csr
openssl x509 -req -days 365 -in mySerReq.csr -CA ../CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 10 -out mySerCert.pem
cd client
openssl genrsa -out myCliPrivate.key 2048
openssl req -new -key myCliPrivate.key -out myCliReq.csr
openssl x509 -req -days 365 -in myCliReq.csr -CA . ./CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 20 -out myCliCert.pem
Regards,
Girish
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Fekete, Róbert *Sent:* Wednesday, March 16, 2016 2:00 PM
*To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] error='self signed certificate in certificate chain'
Hi,
Try this tutorial, IIRC it uses self-signed CA cert: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tuto...
Regards,
Robert
On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Thanks Robert.
With required-untrusted, I am able to communicate with syslog-ng server with TLS encryption.
I want to establish mutual authentication and need *required-trusted* option
Could you please let me know how to solve the following certificate issue with required-trusted option
Regards,
Girish
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Fekete, Róbert *Sent:* Friday, March 11, 2016 7:05 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] error='self signed certificate in certificate chain'
Hi,
try setting the peer-verify option to required-untrusted ( https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g... )
HTH,
Robert
On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar < girish.kumar@al-enterprise.com> wrote:
Hi All,
I am getting following error while starting syslog-ng with tls option. Could you please help me on this
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0 <http://0.0.0.0:0>)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri@gmail.com <giri@gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'*
*Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'*
//server conf
source d_source {
#syslog(ip("mysyslog.server.com") port(6514)
syslog(ip("10.135.83.103") port(6514)
transport("tls")
tls( key_file("/etc/cert.d/mySerPrivate.key")
cert_file("/etc/cert.d/mySerCert.pem")
ca_dir("/etc/ca.d")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
//Client conf
destination d_destination {
#syslog("mysyslog.server.com" port(6514)
syslog("10.135.83.103" port(6514)
transport("tls")
tls( ca_dir("/etc/ca.d")
key_file("/etc/cert.d/myCliPrivate.key")
cert_file("/etc/cert.d/myCliCert.pem")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
Regard,
Girish
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Fekete, Róbert
-
Girish Kumar