NXlog cannot verify self-signed CA certificate
Hi,
I'm trying to foward log events with NXlog to logstash over a SSL connection. Therefore, I generated my own CA certificate and a certificate to be used by logstash for the SSL connection. NXlog is installed on a Ubuntu 14.04 (virtual) machine with the CA certificate added as '/etc/ssl/certs/logstash-ca.crt'.
I tested the connection with
openssl s_client -CAfile /etc/ssl/certs/logstash-ca.cert -connect localhost:5000
and everything works fine (all entered text lines are received by logstash).
However, when I start NXlog with the appropriate om_ssl output configuration it fails with
ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)
My NXlog configuration looks like this:
User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel DEBUG # Modules <Extension _syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> # Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> <Output sslout> Module om_ssl Host localhost Port 5000 CertFile "/etc/ssl/certs/logstash-ca.crt" OutputType LineBased </Output> <Route logstash> Path internal => sslout </Route>
When I start NXlog with
sudo nxlog -f -c nxlog.conf
the debug output looks like this:
2015-03-05 20:37:05 DEBUG module sslout got 1 poll events
2015-03-05 20:37:05 DEBUG Module sslout can read
2015-03-05 20:37:05 DEBUG [...]
2015-03-05 20:37:05 DEBUG PROCESS_EVENT: READ (sslout)
2015-03-05 20:37:05 DEBUG om_ssl read
2015-03-05 20:37:05 DEBUG doing handshake
2015-03-05 20:37:05 DEBUG verify callback (ok: 0)
2015-03-05 20:37:05 DEBUG preverification returned non-OK: unable to get local issuer certificate
2015-03-05 20:37:05 DEBUG STOP: sslout
2015-03-05 20:37:05 DEBUG remove socket [21]
2015-03-05 20:37:05 DEBUG executing statements
2015-03-05 20:37:05 DEBUG [...]
2015-03-05 20:37:05 INFO reconnecting in 1 seconds
2015-03-05 20:37:05 ERROR [om_ssl.c:532/io_err_handler()] -;[ssl.c:168/nx_ssl_check_io_error()] SSL certificate verification failed: unable to get local issuer certificate (err: 20)
I have no idea why the verification work with OpenSSL but fails with NXlog (I'm using nxlog-ce-2.8.1248 and OpenSSL version is 1.0.1f).
Any help is highly appreciated.
You should not use double quotes and it is CAFile not CertFile:
CAFile /etc/ssl/certs/logstash-ca.crt