[syslog-ng] TLS - Authentication problem

Peter Eckel lists at eckel-edv.de
Fri Mar 18 20:07:04 CET 2011 

Hi Honza, 

On 18.03.2011, at 14:01, Honza Mach wrote:

> Mar 18 12:54:22 machine syslog-ng[5432]: Certificate validation failed;
> subject='CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
> O=AddTrust AB, C=SE', issuer='CN=AddTrust External CA Root, OU=AddTrust
> External TTP Network, O=AddTrust AB, C=SE', error='self signed
> certificate in certificate chain', depth='3'

this is your problem. It's a bit difficult to judge from far, but did you properly install the CA certificate the server uses on the client? If so, did you create the hash and a symbolic link from your CAdir to the CA certificate?

In my test installation, the general setup for the CA certificate is as follows: 

  destination d_remote {
    tcp( "server" port( 601 )
         tls( key_file("/opt/syslog-ng/etc/ssl/client_key.pem")
              cert_file("/opt/syslog-ng/etc/ssl/client_crt.pem")
              ca_dir( "/opt/syslog-ng/etc/ssl" ) 
            )
       );
  };

You may ignore key_file and cert_file if the server is not expecting the client to provide a certificate. The relevant part is ca_dir. Here are the CA certificate and a link to it which is named after the CA certificate's hash with a trailing '.0': 

  [root at client etc]# ls -la /opt/syslog-ng/etc/ssl
  total 24
  drwxr-xr-x 2 root root 4096 Mar  9 01:10 .
  drwxr-xr-x 4 root root 4096 Mar  9 01:15 ..
  lrwxrwxrwx 1 root root   10 Mar  9 01:10 39118da4.0 -> ca_crt.pem
  -rw-r--r-- 1 root root 2049 Mar  9 01:05 ca_crt.pem
  -rw-r--r-- 1 root root 4409 Mar  9 01:05 client_crt.pem
  -r-------- 1 root root 1679 Mar  9 01:05 client_key.pem

You get the hash using openssl: 

  [root at client etc]# openssl x509 -noout -hash -in /opt/syslog-ng/etc/ssl/ca_crt.pem
  39118da4

I am using this setup with 3.2.2 and 3.1.4 on several dozen machines without any problems. Without the hash link, I get exactly the same error you are seeing:

  Mar 18 20:05:07 client syslog-ng[12819]: Certificate validation failed; subject='Root CA', issuer='Root CA', error='self signed certificate in certificate chain', depth='1'

Best regards, 

  Peter.

More information about the syslog-ng mailing list