[syslog-ng] Syslog-ng error while using TSL

Pramod Pillai pramodpillaip at gmail.com
Mon May 2 16:43:34 CEST 2011


Hi
These are the config details.
I ran truss on server and found that it was looking for some file
/data/conf/certifi/<some number>.0 . I didn't understand much

Server configurataion
source s_LTEMGR_SYSLOG_CLIENTS{ tcp(ip(10.232.165.128) port(6954)

            tls(key_file("/data/conf/certifi/serverprivkey.pem")
                cert_file("/data/conf/certifi/servercert.pem")
                ca_dir("/data/conf/certifi")
                peer_verify(required-trusted)
            )
        );
};


Client Configuration
destination d_SYSLOGNG_SERVER { tcp( "10.232.165.128" port()
            tls(key_file("/data/conf/certifi/clikey.pem")
                cert_file("/data/conf/certifi/client.pem")
                ca_dir("/data/conf/certifi/")
                peer_verify(required-trusted)
            )
     );
};


On Thu, Apr 28, 2011 at 8:42 PM, Gergely Nagy <algernon at balabit.hu> wrote:
> Pramod Pillai <pramodpillaip at gmail.com> writes:
>
>> I am getting following error while trying to configure TSL in syslogng
>>
>> Error On Client
>> Certificate validation failed; subject='C=IN, ST=KAR, O=orola,
>> CN=12.168.50.192, emailAddress=a at d.com', issuer='C=Generic,
>> ST=Generic, O=Generic, CN=Generic_Int_CA_1', error='unable to get
>> local issuer certificate', depth='0'
>> SSL error while writing stream; tls_error='SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
>> I/O error occurred while writing; fd='4', error='Broken pipe (32)'
>> Syslog connection broken; fd='4',
>> server='AF_INET(10.232.165.128:5695)', time_reopen='60'
>>
>>
>> Error on Server
>> SSL error while reading stream; tls_error='SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'
>
> The problem seems to be - as the log message says -, that syslog-ng find
> the Certificate Authority to verify the server's certificate.
>
> You probably need to copy the CA cert and set the client up
> appropriately.
>
> If you can show a config excerpt, I might be able to help a little more,
> but the documentation should be enough to set things up properly.
>
> The relevant part of the documentation is available at the following
> URL:
>
> http://www.balabit.com/sites/default/files/documents/syslog-ng-pe-v3.2-guide-admin-en.html/chunk-filename-error-procedure08.html
>
> --
> |8]
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list