Syslog-ng error while using TSL
Hi I am getting following error while trying to configure TSL in syslogng Error On Client Certificate validation failed; subject='C=IN, ST=KAR, O=orola, CN=12.168.50.192, emailAddress=a@d.com', issuer='C=Generic, ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I/O error occurred while writing; fd='4', error='Broken pipe (32)' Syslog connection broken; fd='4', server='AF_INET(10.232.165.128:5695)', time_reopen='60' Error on Server SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca' Regards Pramod
Pramod Pillai <pramodpillaip@gmail.com> writes:
I am getting following error while trying to configure TSL in syslogng
Error On Client Certificate validation failed; subject='C=IN, ST=KAR, O=orola, CN=12.168.50.192, emailAddress=a@d.com', issuer='C=Generic, ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I/O error occurred while writing; fd='4', error='Broken pipe (32)' Syslog connection broken; fd='4', server='AF_INET(10.232.165.128:5695)', time_reopen='60'
Error on Server SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
The problem seems to be - as the log message says -, that syslog-ng find the Certificate Authority to verify the server's certificate. You probably need to copy the CA cert and set the client up appropriately. If you can show a config excerpt, I might be able to help a little more, but the documentation should be enough to set things up properly. The relevant part of the documentation is available at the following URL: http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-v3.2-guide... -- |8]
Hi These are the config details. I ran truss on server and found that it was looking for some file /data/conf/certifi/<some number>.0 . I didn't understand much Server configurataion source s_LTEMGR_SYSLOG_CLIENTS{ tcp(ip(10.232.165.128) port(6954) tls(key_file("/data/conf/certifi/serverprivkey.pem") cert_file("/data/conf/certifi/servercert.pem") ca_dir("/data/conf/certifi") peer_verify(required-trusted) ) ); }; Client Configuration destination d_SYSLOGNG_SERVER { tcp( "10.232.165.128" port() tls(key_file("/data/conf/certifi/clikey.pem") cert_file("/data/conf/certifi/client.pem") ca_dir("/data/conf/certifi/") peer_verify(required-trusted) ) ); }; On Thu, Apr 28, 2011 at 8:42 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Pramod Pillai <pramodpillaip@gmail.com> writes:
I am getting following error while trying to configure TSL in syslogng
Error On Client Certificate validation failed; subject='C=IN, ST=KAR, O=orola, CN=12.168.50.192, emailAddress=a@d.com', issuer='C=Generic, ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I/O error occurred while writing; fd='4', error='Broken pipe (32)' Syslog connection broken; fd='4', server='AF_INET(10.232.165.128:5695)', time_reopen='60'
Error on Server SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
The problem seems to be - as the log message says -, that syslog-ng find the Certificate Authority to verify the server's certificate.
You probably need to copy the CA cert and set the client up appropriately.
If you can show a config excerpt, I might be able to help a little more, but the documentation should be enough to set things up properly.
The relevant part of the documentation is available at the following URL:
http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-v3.2-guide...
-- |8] ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
That is the hash. 'openssl x509 -hash -noout -in <certfile>' will tell you what the number should be for a given certificate. just symlink it as <number>.0 or when there is already a .0-suffixed link (hash collisions could occur) then as just increase the suffix to .1 and so on... This hash is used for looking up the certificate of the issuer without reading all files. On Mon, May 2, 2011 at 4:43 PM, Pramod Pillai <pramodpillaip@gmail.com> wrote:
Hi These are the config details. I ran truss on server and found that it was looking for some file /data/conf/certifi/<some number>.0 . I didn't understand much
Server configurataion source s_LTEMGR_SYSLOG_CLIENTS{ tcp(ip(10.232.165.128) port(6954)
tls(key_file("/data/conf/certifi/serverprivkey.pem") cert_file("/data/conf/certifi/servercert.pem") ca_dir("/data/conf/certifi") peer_verify(required-trusted) ) ); };
Client Configuration destination d_SYSLOGNG_SERVER { tcp( "10.232.165.128" port() tls(key_file("/data/conf/certifi/clikey.pem") cert_file("/data/conf/certifi/client.pem") ca_dir("/data/conf/certifi/") peer_verify(required-trusted) ) ); };
On Thu, Apr 28, 2011 at 8:42 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Pramod Pillai <pramodpillaip@gmail.com> writes:
I am getting following error while trying to configure TSL in syslogng
Error On Client Certificate validation failed; subject='C=IN, ST=KAR, O=orola, CN=12.168.50.192, emailAddress=a@d.com', issuer='C=Generic, ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I/O error occurred while writing; fd='4', error='Broken pipe (32)' Syslog connection broken; fd='4', server='AF_INET(10.232.165.128:5695)', time_reopen='60'
Error on Server SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
The problem seems to be - as the log message says -, that syslog-ng find the Certificate Authority to verify the server's certificate.
You probably need to copy the CA cert and set the client up appropriately.
If you can show a config excerpt, I might be able to help a little more, but the documentation should be enough to set things up properly.
The relevant part of the documentation is available at the following URL:
http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-v3.2-guide...
-- |8] ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Pramod Pillai <pramodpillaip@gmail.com> writes:
Hi These are the config details. I ran truss on server and found that it was looking for some file /data/conf/certifi/<some number>.0 . I didn't understand much
In that case, you will need to create the symlinks (using c_rehash /data/conf/certifi/ for example; c_rehash is part of openssl). This is briefly mentioned in the documentation I linked in my earlier post, although a different solution is presented there, but it does essentially the same thing. I seem to remember that a short explanation is given there too - but I might be mistaken in this case. -- |8]
Hi I have not yet resolved the issue -:( Few questions This is the error from the client side error='self signed certificate in certificate chain', depth='2' Our certificates are not self signed . But why is it showing as self signed in the log. Is syslog-ng internally configured as self-signed certificate. If Yes where is it stored. Or how to modify it. Is it possible to configure the depth ? Regards Pramod On Mon, May 2, 2011 at 8:46 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Pramod Pillai <pramodpillaip@gmail.com> writes:
Hi These are the config details. I ran truss on server and found that it was looking for some file /data/conf/certifi/<some number>.0 . I didn't understand much
In that case, you will need to create the symlinks (using c_rehash /data/conf/certifi/ for example; c_rehash is part of openssl).
This is briefly mentioned in the documentation I linked in my earlier post, although a different solution is presented there, but it does essentially the same thing. I seem to remember that a short explanation is given there too - but I might be mistaken in this case.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2011-05-04 at 18:11 +0530, Pramod Pillai wrote:
Hi
I have not yet resolved the issue -:( Few questions This is the error from the client side error='self signed certificate in certificate chain', depth='2'
Our certificates are not self signed . But why is it showing as self signed in the log.
everything is self-signed at the end. an official CA is a self-signed certificate, they just happen to be trusted for one reason or another. this probably means that the CA certificate is not trusted by syslog-ng, probably because syslog-ng has to be told which CA you trust. There's a chapter in the documentation on how to set that up, here: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Is syslog-ng internally configured as self-signed certificate. If Yes where is it stored. Or how to modify it.
Is it possible to configure the depth ?
IIRC no, there's currently no way to configure that, syslog-ng will just accept any certificate depth. -- Bazsi
Hi Bazsi We are still unable to resolve the issue . I see this error. CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' I am attaching the config file and the certificates which might be helpful to debug the issue. Regards Pramod On Sun, May 22, 2011 at 4:44 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2011-05-04 at 18:11 +0530, Pramod Pillai wrote:
Hi
I have not yet resolved the issue -:( Few questions This is the error from the client side error='self signed certificate in certificate chain', depth='2'
Our certificates are not self signed . But why is it showing as self signed in the log.
everything is self-signed at the end. an official CA is a self-signed certificate, they just happen to be trusted for one reason or another.
this probably means that the CA certificate is not trusted by syslog-ng, probably because syslog-ng has to be told which CA you trust.
There's a chapter in the documentation on how to set that up, here:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Is syslog-ng internally configured as self-signed certificate. If Yes where is it stored. Or how to modify it.
Is it possible to configure the depth ?
IIRC no, there's currently no way to configure that, syslog-ng will just accept any certificate depth.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, 2011-05-26 at 22:25 +0530, Pramod Pillai wrote:
Hi Bazsi
We are still unable to resolve the issue . I see this error. CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0' SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
I am attaching the config file and the certificates which might be helpful to debug the issue.
The question is what the directory ca_dir("/certificates/ca.d") contains. It should be populated with symlinks pointing to the X.509 certificates. The symlink name must be the hash of the X.509 subject name, to be produced by openssl x509 -hash -in xxxx There's also an openssl utility to perform this symlink stuff, named c_rehash. Here's a manual page for that: http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash I'm quite certain that TLS and X.509 key validation works well, and the error message really seems to indicate a local setup problem.
Regards Pramod
On Sun, May 22, 2011 at 4:44 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2011-05-04 at 18:11 +0530, Pramod Pillai wrote:
Hi
I have not yet resolved the issue -:( Few questions This is the error from the client side error='self signed certificate in certificate chain', depth='2'
Our certificates are not self signed . But why is it showing as self signed in the log.
everything is self-signed at the end. an official CA is a self-signed certificate, they just happen to be trusted for one reason or another.
this probably means that the CA certificate is not trusted by syslog-ng, probably because syslog-ng has to be told which CA you trust.
There's a chapter in the documentation on how to set that up, here:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Is syslog-ng internally configured as self-signed certificate. If Yes where is it stored. Or how to modify it.
Is it possible to configure the depth ?
IIRC no, there's currently no way to configure that, syslog-ng will just accept any certificate depth.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
participants (4)
-
Balazs Scheidler
-
Gergely Nagy
-
Pramod Pillai
-
Sandor Geller