[syslog-ng] error='self signed certificate in certificate chain'
Fekete, Róbert
robert.fekete at balabit.com
Wed Mar 16 09:29:57 CET 2016
Hi,
Try this tutorial, IIRC it uses self-signed CA cert:
https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/index.html
Regards,
Robert
On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar <
girish.kumar at al-enterprise.com> wrote:
> Thanks Robert.
>
> With required-untrusted, I am able to communicate with syslog-ng server
> with TLS encryption.
>
>
>
> I want to establish mutual authentication and need *required-trusted*
> option
>
>
>
> Could you please let me know how to solve the following certificate issue
> with required-trusted option
>
> Regards,
>
> Girish
>
>
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *Fekete, Róbert
> *Sent:* Friday, March 11, 2016 7:05 PM
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] error='self signed certificate in certificate
> chain'
>
>
>
> Hi,
>
>
>
> try setting the peer-verify option to required-untrusted (
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/tlsoptions.html#tls-options-peer-verify
> )
>
>
>
> HTH,
>
> Robert
>
>
>
> On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <
> girish.kumar at al-enterprise.com> wrote:
>
> Hi All,
>
> I am getting following error while starting syslog-ng with tls option.
> Could you please help me on this
>
>
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established;
> fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0
> <http://0.0.0.0:0>)'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed;
> subject='emailAddress=giri at gmail.com <giri at gmail.com>, CN=girish kumar,
> OU=esd, O=enterprise, L=BAN, ST=KA, C=IN',
> issuer='emailAddress=giri at gmail.com <giri at gmail.com>, CN=girish kumar,
> OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate
> in certificate chain', depth='1'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream;
> tls_error='SSL routines:ssl3_get_server_certificate:certificate verify
> failed'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing;
> fd='5', error='Broken pipe (32)'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5',
> server='AF_INET(10.135.83.103:6514)', time_reopen='60'*
>
>
>
>
>
> //server conf
>
> source d_source {
>
> #syslog(ip("mysyslog.server.com") port(6514)
>
> syslog(ip("10.135.83.103") port(6514)
>
> transport("tls")
>
> tls( key_file("/etc/cert.d/mySerPrivate.key")
>
> cert_file("/etc/cert.d/mySerCert.pem")
>
> ca_dir("/etc/ca.d")
>
> ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
>
> )
>
> );
>
> };
>
>
>
> //Client conf
>
> destination d_destination
> {
>
> #syslog("mysyslog.server.com" port(6514)
>
> syslog("10.135.83.103" port(6514)
>
> transport("tls")
>
> tls( ca_dir("/etc/ca.d")
>
> key_file("/etc/cert.d/myCliPrivate.key")
>
> cert_file("/etc/cert.d/myCliCert.pem")
>
> ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
>
> )
>
> );
>
> };
>
>
>
> Regard,
>
> Girish
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160316/210ce2a5/attachment.htm
More information about the syslog-ng
mailing list