[syslog-ng] Syslog-ng mutual self cert authentication

Ivan Adji - Krstev akivanradix at gmail.com
Mon Jan 18 14:23:12 CET 2016 

Hi,
I do the following:
Following the link from Balabit i have done the server site without
errors. Then i do this on the client site

 1.

    *mkdir certs crl newcerts private*

    *echo "01" > serial*

    *cp /dev/null index.txt*

Than i copy the*"cacert.pem"  *to the client machine and try the next
step *"*Creating a client certificate" using the following command
openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem
-days 365 -config openssl.cnf
openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out
tmp.pem
**

And on the last line i have the errors
openssl ca -config openssl.cnf -policy policy_anything -out
clientcert.pem -infiles tmp.pem

Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Error opening CA certificate ./cacert.pem
140030533961632:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('./cacert.pem','r')
140030533961632:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate

So i try copy the serverkey.pem and servercert.pem but similar errors

Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Error opening CA certificate ./cacert.pem
140578607339424:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('./cacert.pem','r')
140578607339424:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate

Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
unable to load CA private key
140231163467680:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140231163467680:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:p12_decr.c:104:
140231163467680:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
140231163467680:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
lib:pem_pkey.c:132:

So i'm not sure what im missing

Thanks !

On 01/15/2016 05:15 PM, PÁSZTOR György wrote:
> Hi,
>
> "Ivan Adji - Krstev" <akivanradix at gmail.com> írta 2016-01-15 15:06-kor:
>> Can someone give me the right way to do this as i following this
>> tuttorial and still have errors:
>> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/create-ca.html
> This guide seems pretty good.
> What errors do you have?
> This guide assumes, you have a "pki" machine. One machine, where you
> generates all the certificates, keys, and do any pki-related thing.
> As it is usual.
> Then it is consequent with the filenames, so when it shows the server
> side's config, and you see a "cacert.pem", it comes from this pki
> environment. The same cacert.pem should be applied to the client side.
>
> Step #1:
> Does your server start?
> Step #2:
> Does your client starts?
>
> If it is only a test system, and the keys are not "real secret" yet,
> and still have problems, I suggest to use the contrib/syslog-debun
> to collect the config and other environment related things from your
> client and server side, and send those to me.
> I do not know, if .tar.gz attachments are allowed on the mailing list.
> But I would gladly check them.
>
> If the server is able to start, then please run the debug bundle collector
> with these parameters:
> contrib/syslog-debun -d
> It will stop the syslog-ng as a system service, and start in foregrund
> debug mode, until you press enter. Then it will stop the debug mode
> service, and start again the "system service".
>
> Until the server runs in debug mode, please try the same on the client
> side.
> The most important part of the whole debugging, that I would like to
> see the syslog-ng's debug messages and see what happens from the
> syslog-ng's point of view.
>
> Cheers,
> Gyu
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160118/a8d5f27f/attachment.htm

More information about the syslog-ng mailing list