0

I have a set up as follows: Root CA-> Intermediate CA -> Client Cert and Server Cert.

On the client side I have a directory containing client.crt, client.key, and a symbolic hash link to chain.crt. chain.crt contains the intermediate cert followed by the root cert (concatenated).

On the server side I have a directory containing server.crt, server.key, and a symbolic hash link to chain.crt. chain.crt is the same as the one described above.

When I run openssl verify -CApath certs.d client.crt. It returns and OK status. The same thing happens when I run it on server.crt.

When I try to send logs from the client to the server, I get errors, on the client side, stating that the Root certificate could not be validated because it is self signed.

The configuration on the client is:

destination d_server {
    syslog( "some ip" port(some port) transport("tls")
            tls( peer-verify(required-trusted)
                    cipher-suite(some cipher)
                    ca-dir(".../certs.d/")
                    key-file(".../certs.d/client.key")
                    cert-file(".../certs.d/client.crt") ) );
};

Does anyone know how I can fix this?

alien35man
  • 11
  • 4
  • Hi, which version of syslog-ng are you using? I kinda remember that chained certs are supported only in 3.5 or so. – Robert Fekete Jan 20 '16 at 15:07
  • I am using syslog-ng version 3.5.4.1. – alien35man Jan 20 '16 at 18:06
  • When you generated the hash and created the symbolic link, did you add a '.0' suffix? Like this - 84d92a45.0. – Tom Damon Jan 20 '16 at 18:43
  • Yes I did. I believe the problem has to do with the file containing more than 1 cert, but only 1 link to it? I was expecting the hash function to produce more than 1 if there was more than one certificate in the file. – alien35man Jan 20 '16 at 19:59
  • I did a write up on this in our documentation here - https://www.assembla.com/spaces/LogZillaWiki/wiki/Setting_Up_TLS_Tunnels. Maybe there's a step in there that might help. – Tom Damon Jan 26 '16 at 19:10

1 Answers1

1

certificate chains are supported only in syslog-ng OSE 3.6.1 and later, so you'll have to upgrade. If there is no newer version in your distro repositories, see syslog-ng.org download page

Robert Fekete
  • 557
  • 3
  • 5