[syslog-ng] tls problems when chaning the server certificate syslog-ng-4.6.0

Evan Rempel erempel at uvic.ca
Fri Sep 13 15:54:52 UTC 2024 

Thanks. That was exactly the issue. The clients were rejecting the server certificate. I was confused as how the client rejection gets logged into the server's logs. I guess there is a lot more information exchanged in a SSL handshake.

Signing the new server certificate with the older CA which all of the clients already have resolved the issue.

I will have to work on rolling out the new CA to all of the clients prior to resigning the server certificate.

--
Evan

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Sandor Geller <sandor.geller at ericsson.com>
Sent: September 12, 2024 11:08 PM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] tls problems when chaning the server certificate syslog-ng-4.6.0

Hello,

A packet capture would confirm but this TLS error has to come from the wire so the clients are rejecting the server's certificate. Have you distributed the new CAcert to the connecting clients, and is it properly set up, when using a directory then the hash symlink is present there as well?

You could simulate your setup with openssl's s_client and s_server.

Regards,
Sandor

On 2024. 09. 12. 18:10, Evan Rempel wrote:
I have a syslog server running syslog-ng-4.6.0 (from the copr repo).

I am not seeing any TLS issues in the logs using the existing ca.d certificate and the current server tls certificate.

The current tls certificate will expire soon, and the CA used to sign the server certificate can no longer be used.

I have created a new server certificate, signed with a new Root CA. This new Root CA has been successfully added to the ca.d folder and is running without error with the current server certificate.

When I replace the server certificate with the new one and restart syslog-ng, I start getting a lot of errors in the logs.

SSL error while reading stream; tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca'

The new server certificate validates

$openssl verify tls/server.crt
tls/server.crt: OK

The CA used to sign the certificate is in the ca.d folder with the correct hash.


I have to assume that the error is actually revering to the server certificate, but it could be referring to a client certificate. The error goes away when I switch the server certificate back.

The only things that changes for this error is using the new server certificate.

How do I track this down?

Are there any other suggestions on what might have gone wrong?

--
Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240913/babe3eb3/attachment.htm>

More information about the syslog-ng mailing list