[syslog-ng] Syslog-ng error while using TSL

Balazs Scheidler bazsi at balabit.hu
Sat Jun 4 13:35:16 CEST 2011 

On Thu, 2011-05-26 at 22:25 +0530, Pramod Pillai wrote:
> Hi Bazsi
> 
> We are still unable to resolve the issue .
> I see this error.
>  CN=Generic_Int_CA_1', error='unable to get local issuer certificate', depth='0'
> SSL error while writing stream; tls_error='SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
> 
> I am attaching the config file and the certificates which might be
> helpful to debug the issue.

The question is what the directory 

                ca_dir("/certificates/ca.d")

contains. It should be populated with symlinks pointing to the X.509
certificates. The symlink name must be the hash of the X.509 subject
name, to be produced by

openssl x509 -hash -in xxxx

There's also an openssl utility to perform this symlink stuff, named
c_rehash. Here's a manual page for that:

http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash

I'm quite certain that TLS and X.509 key validation works well, and the
error message really seems to indicate a local setup problem.

> 
> Regards
> Pramod
> 
> On Sun, May 22, 2011 at 4:44 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> > On Wed, 2011-05-04 at 18:11 +0530, Pramod Pillai wrote:
> >> Hi
> >>
> >> I have not yet resolved the issue -:(
> >> Few questions
> >> This is the error from the client side
> >> error='self signed certificate in certificate chain', depth='2'
> >>
> >> Our certificates are not self signed . But why is it showing as self
> >> signed in the log.
> >
> > everything is self-signed at the end. an official CA is a self-signed
> > certificate, they just happen to be trusted for one reason or another.
> >
> > this probably means that the CA certificate is not trusted by syslog-ng,
> > probably because syslog-ng has to be told which CA you trust.
> >
> > There's a chapter in the documentation on how to set that up, here:
> >
> > http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/chapter-encrypted-transport-tls.html
> >
> >> Is  syslog-ng  internally configured as self-signed certificate.  If
> >> Yes where is it stored. Or how to modify it.
> >>
> >> Is it possible to configure the depth ?
> >
> > IIRC no, there's currently no way to configure that, syslog-ng will just
> > accept any certificate depth.
> >
> > --
> > Bazsi
> >
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 

-- 
Bazsi

More information about the syslog-ng mailing list