Need additional information
Details
Assignee
Triage TeamTriage TeamReporter
Aaron BrooksAaron BrooksLabels
Impact
HighComponents
Fix versions
Affects versions
Priority
Low
Details
Details
Assignee
Triage Team
Triage TeamReporter
Aaron Brooks
Aaron BrooksLabels
Impact
High
Components
Fix versions
Affects versions
Priority
LowMore fields
More fields
More fields
Katalon Platform
Katalon Platform
Katalon Platform
Created August 27, 2021 at 2:56 PM
Updated July 6, 2022 at 8:56 PM
Resolved October 4, 2021 at 8:31 PM
When configuring syslog to write to a syslog server using TLS with a certificate issued by a private CA, the certificate cannot be verified.
The log sample below shows the error:
Aug 28 00:44:10 scruffy syslog-ng[71695]: Syslog connection established; fd='26', server='AF_INET(10.10.1.28:51414)', local='AF_INET(0.0.0.0:0)'
Aug 28 00:44:10 scruffy syslog-ng[71695]: Certificate validation failed; subject='CN=AmyCA Intermediate CA', issuer='CN=AmyCA Root CA', error='unable to get local issuer certificate', depth='1'
Aug 28 00:44:10 scruffy syslog-ng[71695]: SSL error while writing stream; tls_error='SSL routines:tls_process_server_certificate:certificate verify failed', location='/usr/local/etc/syslog-ng.conf:208:71'
Aug 28 00:44:10 scruffy syslog-ng[71695]: I/O error occurred while writing; fd='26', error='Broken pipe (32)'
Aug 28 00:44:10 scruffy syslog-ng[71695]: Syslog connection broken; fd='26', server='AF_INET(10.10.1.28:51414)', time_reopen='60'
The certificate "CN=AmyCA Root CA" has been imported to TrueNAS via the "CAs" page.
root@scruffy[~]# cd /etc/certificates
root@scruffy/etc/certificates# ls -al CA
total 33
drwxr-xr-x 2 root wheel 256 Aug 28 00:20 .
drwxr-xr-x 3 root wheel 512 Aug 28 00:41 ..
rw-rr- 1 root wheel 565 Aug 28 00:20 AmyCA_Root.crt
rw-rr- 1 root wheel 438 Aug 28 00:20 AmyCA_TrueNAS_Intermediate.crl
rw-rr- 1 root wheel 1192 Aug 28 00:20 AmyCA_TrueNAS_Intermediate.crt
r------- 1 root wheel 241 Aug 28 00:20 AmyCA_TrueNAS_Intermediate.key
root@scruffy/etc/certificates#
The error in syslog-ng is occurring because syslog-ng requires the key to be symlinked by its hash, eg.
root@scruffy/etc/certificates# openssl x509 -noout -hash -in ./CA/AmyCA_Root.crt
4c92b288
root@scruffy/etc/certificates# ln -s /etc/certificates/CA/AmyCA_Root.crt 4c92b288.0
root@scruffy/etc/certificates# ls -al
total 66
drwxr-xr-x 3 root wheel 576 Aug 28 00:50 .
drwxr-xr-x 31 root wheel 8832 Aug 24 18:21 ..
lrwxr-xr-x 1 root wheel 35 Aug 28 00:41 38e14cf6.0 -> /etc/certificates/AmyCA_Scruffy.crt
lrwxr-xr-x 1 root wheel 19 Aug 28 00:50 4c92b288.0 -> /etc/certificates/CA/AmyCA_Root.crt
rw-rr- 1 root wheel 1302 Aug 28 00:20 AmyCA_Scruffy.crt
r------- 1 root wheel 241 Aug 28 00:20 AmyCA_Scruffy.key
drwxr-xr-x 2 root wheel 256 Aug 28 00:20 CA
rw-rr- 1 root wheel 1155 Aug 28 00:20 freenas_default.crt
r------- 1 root wheel 1704 Aug 28 00:20 freenas_default.key
rw-rr- 1 root wheel 2236 Aug 27 19:17 scruffy2.crt
r------- 1 root wheel 1704 Aug 27 19:17 scruffy2.key
root@scruffy/etc/certificates#
This requirement is outlined in the syslog-ng documentation here: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/55#TOPIC-956593
Could we get this fixed so that external CAs imported via the gui are symlinked linked by their hash correctly? TrueNAS appears to already be doing it for leaf certificates it has the key for, but not for external imported CA certificates.