[syslog-ng] error='self signed certificate in certificate chain'

Girish Kumar girish.kumar at al-enterprise.com
Thu Mar 17 05:51:16 CET 2016 

Thank a lot  Robert. Document is very good.
I all followed all the steps except certificate creating steps since it was giving some error. Finally I was able to establish TLS communication with “required trusted”

I am sharing the steps used for creating certificates

mkdir CERT
cd CERT

  mkdir CA  client  server

  cd CA
  openssl genrsa -out caPrivate.key 4096
  openssl req -new -x509 -days 1826 -key caPrivate.key -out caCert.pem

  cd server
  openssl genrsa -out mySerPrivate.key 2048
  openssl req -new -key mySerPrivate.key -out mySerReq.csr
  openssl x509 -req -days 365 -in mySerReq.csr -CA ../CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 10 -out mySerCert.pem

  cd client
  openssl genrsa -out myCliPrivate.key 2048
  openssl req -new -key myCliPrivate.key -out myCliReq.csr
  openssl x509 -req -days 365 -in myCliReq.csr -CA .          ./CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 20 -out myCliCert.pem


Regards,
Girish
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Fekete, Róbert
Sent: Wednesday, March 16, 2016 2:00 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] error='self signed certificate in certificate chain'

Hi,

Try this tutorial, IIRC it uses self-signed CA cert: https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/index.html

Regards,
Robert

On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar <girish.kumar at al-enterprise.com<mailto:girish.kumar at al-enterprise.com>> wrote:
Thanks  Robert.
With required-untrusted,  I am able to communicate with syslog-ng server with TLS encryption.

I want to establish mutual authentication and need required-trusted option

Could you please let me know how to solve the following certificate issue with required-trusted option
Regards,
Girish

From: syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu> [mailto:syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>] On Behalf Of Fekete, Róbert
Sent: Friday, March 11, 2016 7:05 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] error='self signed certificate in certificate chain'

Hi,

try setting the peer-verify option to required-untrusted (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/tlsoptions.html#tls-options-peer-verify)

HTH,
Robert

On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <girish.kumar at al-enterprise.com<mailto:girish.kumar at al-enterprise.com>> wrote:
Hi All,
I am getting following error while starting syslog-ng with tls option. Could you please help me  on this

Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established; fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0<http://0.0.0.0:0>)'
Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed; subject='emailAddress=giri at gmail.com<mailto:giri at gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', issuer='emailAddress=giri at gmail.com<mailto:giri at gmail.com>, CN=girish kumar, OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate in certificate chain', depth='1'
Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream; tls_error='SSL routines:ssl3_get_server_certificate:certificate verify failed'
Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing; fd='5', error='Broken pipe (32)'
Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5', server='AF_INET(10.135.83.103:6514)', time_reopen='60'


//server conf
source d_source {
          #syslog(ip("mysyslog.server.com<http://mysyslog.server.com>") port(6514)
          syslog(ip("10.135.83.103") port(6514)
                    transport("tls")
             tls( key_file("/etc/cert.d/mySerPrivate.key")
             cert_file("/etc/cert.d/mySerCert.pem")
             ca_dir("/etc/ca.d")
             ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
        )
    );
};

//Client conf
destination d_destination {
    #syslog("mysyslog.server.com<http://mysyslog.server.com>" port(6514)
    syslog("10.135.83.103" port(6514)
                        transport("tls")
        tls( ca_dir("/etc/ca.d")
         key_file("/etc/cert.d/myCliPrivate.key")
         cert_file("/etc/cert.d/myCliCert.pem")
         ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
         )
    );
};

Regard,
Girish

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160317/0242aa5c/attachment-0001.htm

More information about the syslog-ng mailing list