NXLg with om_ssl using a 3rd party cert`

Tags:

#1 LogWolf

I'm trying to set up nxlog with om_ssl using a 3rd party cert. I can connect without issue using openssl s_client, but am getting a certificate error in nxlog.

local:~$ openssl s_client -connect logs.notmyrealdomain.com:514 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.notmyrealdomain.com verify return:1

Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.notmyrealdomain.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

If I don't specify a CAfile in nxlog.conf, I get one error: 2019-02-11 12:19:55 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT%

CAFile %ROOT%\cert\ca.pem

If I do specify a CAfile with the same intermediate cert as is on the server, I get a different error: 2019-02-11 12:22:24 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2) Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% CAFile %ROOT%\cert\ca.pem

"AllowUntrusted TRUE" does not help, but shouldn't be needed

Thanks in advance for any help!

#2 LogWolf
#1 LogWolf
I'm trying to set up nxlog with om_ssl using a 3rd party cert. I can connect without issue using openssl s_client, but am getting a certificate error in nxlog. local:~$ openssl s_client -connect logs.notmyrealdomain.com:514 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.notmyrealdomain.com verify return:1 Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.notmyrealdomain.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority If I don't specify a CAfile in nxlog.conf, I get one error: 2019-02-11 12:19:55 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% CAFile %ROOT%\cert\ca.pem If I do specify a CAfile with the same intermediate cert as is on the server, I get a different error: 2019-02-11 12:22:24 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2) Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% CAFile %ROOT%\cert\ca.pem "AllowUntrusted TRUE" does not help, but shouldn't be needed Thanks in advance for any help!

Resolution was changing CA.PEM to have both cert and also intermediate cert.