戻る
-
タイトル
SSLv3 alert certificate unknown -
説明
The following SSL error appears in the syslog-pe logsJan 10 20:36:03 mysysloghost syslog-ng[12265]: Syslog connection accepted; fd='18', client='AF_INET(10.10.10.5:25117)', local='AF_INET(0.0.0.0:1999)'Jan 10 20:36:03 mysysloghost syslog-ng[12265]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown', location='/opt/syslog-ng/etc/syslog-ng.conf:20:12'Jan 10 20:36:03 mysysloghost syslog-ng[12265]: I/O error occurred while reading; fd='18', error='Connection reset by peer (104)'Jan 10 20:36:03 mysysloghost syslog-ng[12265]: Syslog connection closed; fd='18', client='AF_INET(10.10.10.5:25117)', local='AF_INET(0.0.0.0:1999)'The important bit of information is this line:SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown', location='/opt/syslog-ng/etc/syslog-ng.conf:20:12 -
原因
The SSL library sends an alert back to the system telling the certificate chain was invalid.The message section that says "sslv3 alert certificate unknown" usually refers to the intermediate certificate in a chain of certificates. That certificate is expired, invalid or not trusted by one or more systems involved in the SSL/TLS communication.
-
対策
If the error message there is usually the line or block that contains the offending certificate, in this case, "location='/opt/syslog-ng/etc/syslog-ng.conf:20:12' "The line 20 of the syslog.conf is the line or block definition. It is usually something like this:# TLS Sourcesource ec2_tls_source {network(ip(0.0.0.0)port(1999)transport("tls")flags(no-parse)tls(key-file("/opt/syslog-ng/etc/syslog-ng/cert.d/_.domain.com.key")cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/_.domain.com.crt")ca-dir("/opt/syslog-ng/etc/syslog-ng/ca_cert.dom")peer-verify(optional-trusted)));};Please verify they are trusted and/or not expired the complete chain of the certificate, including any intermediate certificates that may need to be present. -
追加情報
You can verify the certificate path with OpenSSL in a *NIX command line, the following is an example of the procedure:# trying to connect to a server we suspect has a bad cert chain installed$ openssl s_client -connect server01.badintermediate.domain.com:1999 -tls1_2CONNECTED(00000005)depth=0 C = US, ST = Florida, L = Miami, O = "Example Company, Inc.", CN = *.domain.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 C = US, ST = Florida, L = Miami, O = "Example Company, Inc.", CN = *.domain.comverify error:num=21:unable to verify the first certificateverify return:1