0
answers

I'm trying to set up nxlog with om_ssl using a 3rd party cert. I can connect without issue using openssl s_client, but am getting a certificate error in nxlog.

local:~$ openssl s_client -connect logs.notmyrealdomain.com:514
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.notmyrealdomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.notmyrealdomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

If I don't specify a CAfile in nxlog.conf, I get one error:
2019-02-11 12:19:55 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)
Module om_ssl
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
# CAFile %ROOT%\cert\ca.pem

If I do specify a CAfile with the same intermediate cert as is on the server, I get a different error:
2019-02-11 12:22:24 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
Module om_ssl
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
CAFile %ROOT%\cert\ca.pem

"AllowUntrusted TRUE" does not help, but shouldn't be needed

Thanks in advance for any help!

AskedFebruary 11, 2019 - 6:31pm

Answers (0)