[syslog-ng] error='self signed certificate in certificate chain'

Fekete, Róbert robert.fekete at balabit.com
Thu Mar 17 08:12:39 CET 2016


Hi,

Thank you very much for sharing your solution, I'll check if the docs need
some update.

Regards,
Robert

On Thu, Mar 17, 2016 at 5:51 AM, Girish Kumar <
girish.kumar at al-enterprise.com> wrote:

> Thank a lot  Robert. Document is very good.
>
> I all followed all the steps except certificate creating steps since it
> was giving some error. Finally I was able to establish TLS communication
> with “required trusted”
>
>
>
> I am sharing the steps used for creating certificates
>
>
>
> mkdir CERT
>
> cd CERT
>
>
>
>   mkdir CA  client  server
>
>
>
>   cd CA
>
>   openssl genrsa -out caPrivate.key 4096
>
>   openssl req -new -x509 -days 1826 -key caPrivate.key -out caCert.pem
>
>
>
>   cd server
>
>   openssl genrsa -out mySerPrivate.key 2048
>
>   openssl req -new -key mySerPrivate.key -out mySerReq.csr
>
>   openssl x509 -req -days 365 -in mySerReq.csr -CA ../CA/caCert.pem -CAkey
> ../CA/caPrivate.key -set_serial 10 -out mySerCert.pem
>
>
>
>   cd client
>
>   openssl genrsa -out myCliPrivate.key 2048
>
>   openssl req -new -key myCliPrivate.key -out myCliReq.csr
>
>   openssl x509 -req -days 365 -in myCliReq.csr -CA .
> ./CA/caCert.pem -CAkey ../CA/caPrivate.key -set_serial 20 -out myCliCert.pem
>
>
>
>
>
> Regards,
>
> Girish
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *Fekete, Róbert
> *Sent:* Wednesday, March 16, 2016 2:00 PM
>
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] error='self signed certificate in certificate
> chain'
>
>
>
> Hi,
>
>
>
> Try this tutorial, IIRC it uses self-signed CA cert:
> https://www.balabit.com/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-tutorial-mutual-auth-tls/html/index.html
>
>
>
> Regards,
>
> Robert
>
>
>
> On Sun, Mar 13, 2016 at 8:39 AM, Girish Kumar <
> girish.kumar at al-enterprise.com> wrote:
>
> Thanks  Robert.
>
> With required-untrusted,  I am able to communicate with syslog-ng server
> with TLS encryption.
>
>
>
> I want to establish mutual authentication and need *required-trusted*
> option
>
>
>
> Could you please let me know how to solve the following certificate issue
> with required-trusted option
>
> Regards,
>
> Girish
>
>
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *Fekete, Róbert
> *Sent:* Friday, March 11, 2016 7:05 PM
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] error='self signed certificate in certificate
> chain'
>
>
>
> Hi,
>
>
>
> try setting the peer-verify option to required-untrusted (
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/tlsoptions.html#tls-options-peer-verify
> )
>
>
>
> HTH,
>
> Robert
>
>
>
> On Fri, Mar 11, 2016 at 2:28 PM, Girish Kumar <
> girish.kumar at al-enterprise.com> wrote:
>
> Hi All,
>
> I am getting following error while starting syslog-ng with tls option.
> Could you please help me  on this
>
>
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection established;
> fd='5', server='AF_INET(10.135.83.103:6514)', local='AF_INET(0.0.0.0:0
> <http://0.0.0.0:0>)'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Certificate validation failed;
> subject='emailAddress=giri at gmail.com <giri at gmail.com>, CN=girish kumar,
> OU=esd, O=enterprise, L=BAN, ST=KA, C=IN',
> issuer='emailAddress=giri at gmail.com <giri at gmail.com>, CN=girish kumar,
> OU=esd, O=enterprise, L=BAN, ST=KA, C=IN', error='self signed certificate
> in certificate chain', depth='1'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: SSL error while writing stream;
> tls_error='SSL routines:ssl3_get_server_certificate:certificate verify
> failed'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: I/O error occurred while writing;
> fd='5', error='Broken pipe (32)'*
>
> *Mar 12 18:14:24 (none) syslog-ng[6136]: Syslog connection broken; fd='5',
> server='AF_INET(10.135.83.103:6514)', time_reopen='60'*
>
>
>
>
>
> //server conf
>
> source d_source {
>
>           #syslog(ip("mysyslog.server.com") port(6514)
>
>           syslog(ip("10.135.83.103") port(6514)
>
>                     transport("tls")
>
>              tls( key_file("/etc/cert.d/mySerPrivate.key")
>
>              cert_file("/etc/cert.d/mySerCert.pem")
>
>              ca_dir("/etc/ca.d")
>
>              ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
>
>         )
>
>     );
>
> };
>
>
>
> //Client conf
>
> destination d_destination
> {
>
>     #syslog("mysyslog.server.com" port(6514)
>
>     syslog("10.135.83.103" port(6514)
>
>                         transport("tls")
>
>         tls( ca_dir("/etc/ca.d")
>
>          key_file("/etc/cert.d/myCliPrivate.key")
>
>          cert_file("/etc/cert.d/myCliCert.pem")
>
>          ssl-options(no-sslv2, no-sslv3, no-tlsv1, no-tlsv11)
>
>          )
>
>     );
>
> };
>
>
>
> Regard,
>
> Girish
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160317/948832da/attachment.htm 


More information about the syslog-ng mailing list