Problems using SSL input with NXLog


#1 Mads.Hvelplund

TL;DR summary: NXLog won't load my certificate - why?

I've set up an NXlog CE server to act as an encrypted entrypoint for a Graylog server. After creating a self-signed certificate and adding it to the configuration, I get an unexpected error in the log when NXlogs starts up.

2015-07-10 06:49:22 INFO reloading configuration and restarting modules
2015-07-10 06:49:22 ERROR SSL error, Failed to open certfile: "/certificates/client.pem";No such file or directory
2015-07-10 06:49:22 INFO configuration reloaded successfully.

I assumed it might be a file rights issue, but looking at the files, it seems like the rights are actually a little too loose for comfort:

root@e757dae37501:/# ll /certificates/
total 20
drwxr-xr-x  2 nxlog nxlog 4096 Jul 10 06:32 ./
drwxr-xr-x 49 root  root  4096 Jul 10 06:32 ../
-rw-r--r--  1 nxlog nxlog 1387 Jul  9 15:51 ca.pem
-rw-r--r--  1 nxlog nxlog  887 Jul  9 15:54 client.key
-rw-r--r--  1 nxlog nxlog 1001 Jul  9 15:55 client.pem

My NXlog configuration looks like this:

...
<Input inssl>
Module im_ssl
Host 0.0.0.0
Port 1515
InputType Binary
CAFile "/certificates/ca.pem"
CertFile "/certificates/client.pem"
CertKeyFile "/certificates/client.key"
KeyPass secret
RequireCert FALSE
AllowUntrusted TRUE
</Input>
...

I've tried looking at the source code for the SSL module, but it looks like the line that fails is not related to validation but simple file access. I have no idea how to proceed. Suggestions?

#2 adm Nxlog ✓
#1 Mads.Hvelplund
TL;DR summary: NXLog won't load my certificate - why? I've set up an NXlog CE server to act as an encrypted entrypoint for a Graylog server. After creating a self-signed certificate and adding it to the configuration, I get an unexpected error in the log when NXlogs starts up. 2015-07-10 06:49:22 INFO reloading configuration and restarting modules 2015-07-10 06:49:22 ERROR SSL error, Failed to open certfile: "/certificates/client.pem";No such file or directory 2015-07-10 06:49:22 INFO configuration reloaded successfully. I assumed it might be a file rights issue, but looking at the files, it seems like the rights are actually a little too loose for comfort: root@e757dae37501:/# ll /certificates/ total 20 drwxr-xr-x 2 nxlog nxlog 4096 Jul 10 06:32 ./ drwxr-xr-x 49 root root 4096 Jul 10 06:32 ../ -rw-r--r-- 1 nxlog nxlog 1387 Jul 9 15:51 ca.pem -rw-r--r-- 1 nxlog nxlog 887 Jul 9 15:54 client.key -rw-r--r-- 1 nxlog nxlog 1001 Jul 9 15:55 client.pem My NXlog configuration looks like this: ... <Input inssl> Module im_ssl Host 0.0.0.0 Port 1515 InputType Binary CAFile "/certificates/ca.pem" CertFile "/certificates/client.pem" CertKeyFile "/certificates/client.key" KeyPass secret RequireCert FALSE AllowUntrusted TRUE </Input> ... I've tried looking at the source code for the SSL module, but it looks like the line that fails is not related to validation but simple file access. I have no idea how to proceed. Suggestions?

The paths should not be double-quoted.

CertFile /certificate/client.pem