NXlog cannot verify self-signed CA certificate | View post

goerlitz 9 years ago

Hi,

I'm trying to foward log events with NXlog to logstash over a SSL connection. Therefore, I generated my own CA certificate and a certificate to be used by logstash for the SSL connection. NXlog is installed on a Ubuntu 14.04 (virtual) machine with the CA certificate added as '/etc/ssl/certs/logstash-ca.crt'.

I tested the connection with

openssl s_client -CAfile /etc/ssl/certs/logstash-ca.cert -connect localhost:5000

and everything works fine (all entered text lines are received by logstash).

However, when I start NXlog with the appropriate om_ssl output configuration it fails with

ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)

My NXlog configuration looks like this:

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG

# Modules
<Extension _syslog>
    Module xm_syslog
</Extension>
<Extension json>
    Module xm_json
</Extension>

# Nxlog internal logs
<Input internal>
    Module im_internal
    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

<Output sslout>
    Module          om_ssl
    Host            localhost
    Port            5000
    CertFile        "/etc/ssl/certs/logstash-ca.crt"
    OutputType      LineBased
</Output>

<Route logstash>
    Path internal => sslout
</Route>

When I start NXlog with

sudo nxlog -f -c nxlog.conf

the debug output looks like this:

2015-03-05 20:37:05 DEBUG module sslout got 1 poll events
2015-03-05 20:37:05 DEBUG Module sslout can read
2015-03-05 20:37:05 DEBUG [...]
2015-03-05 20:37:05 DEBUG PROCESS_EVENT: READ (sslout)
2015-03-05 20:37:05 DEBUG om_ssl read
2015-03-05 20:37:05 DEBUG doing handshake
2015-03-05 20:37:05 DEBUG verify callback (ok: 0)
2015-03-05 20:37:05 DEBUG preverification returned non-OK: unable to get local issuer certificate
2015-03-05 20:37:05 DEBUG STOP: sslout
2015-03-05 20:37:05 DEBUG remove socket [21]
2015-03-05 20:37:05 DEBUG executing statements
2015-03-05 20:37:05 DEBUG [...]
2015-03-05 20:37:05 INFO reconnecting in 1 seconds
2015-03-05 20:37:05 ERROR [om_ssl.c:532/io_err_handler()] -;[ssl.c:168/nx_ssl_check_io_error()] SSL certificate verification failed: unable to get local issuer certificate (err: 20)

I have no idea why the verification work with OpenSSL but fails with NXlog (I'm using nxlog-ce-2.8.1248 and OpenSSL version is 1.0.1f).

Any help is highly appreciated.