[syslog-ng] error='self signed certificate in certificate chain'
Girish Kumar
girish.kumar at al-enterprise.com
Sun Mar 13 08:39:46 CET 2016
Thanks Robert.
With required-untrusted, I am able to communicate with syslog-ng server with TLS encryption.
I want to establish mutual authentication and need required-trusted option
Could you please let me know how to solve the following certificate issue with required-trusted option
Regards,
Girish
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Fekete, Róbert
Sent: Friday, March 11, 2016 7:05 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] error='self signed certificate in certificate chain'
Hi,
try setting the peer-verify option to required-untrusted (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/tlsoptions.html#tls-options-peer-verify)
HTH,
Robert
On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <girish.kumar at al-enterprise.com<mailto:girish.kumar at al-enterprise.com>> wrote:
Hi All,
I am getting following error while starting syslog-ng with tls option. Could you please help me on this
Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0<http://0.0.0.0:0>)'
Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri at gmail.com<mailto:giri at gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri at gmail.com<mailto:giri at gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'
Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'
Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'
//server conf
source d_source {
#syslog(ip("mysyslog.server.com<http://mysyslog.server.com>") port(6514)
syslog(ip("10.135.83.103") port(6514)
transport("tls")
tls( key_file("/etc/cert.d/mySerPrivate.key")
cert_file("/etc/cert.d/mySerCert.pem")
ca_dir("/etc/ca.d")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
//Client conf
destination d_destination {
#syslog("mysyslog.server.com<http://mysyslog.server.com>" port(6514)
syslog("10.135.83.103" port(6514)
transport("tls")
tls( ca_dir("/etc/ca.d")
key_file("/etc/cert.d/myCliPrivate.key")
cert_file("/etc/cert.d/myCliCert.pem")
ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
)
);
};
Regard,
Girish
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160313/5714703e/attachment.htm
More information about the syslog-ng
mailing list