-
Title
TLS certificate errors when Syslog-ng PE host has multiple hostnames -
Description
TLS connections fail when using two or more Virtual IP (VIP) addresses that each have different hostnames than the primary hostname of the Syslog-ng PE host operating system's hostname and Syslog-ng PE is running on a Linux host.
-
Cause
The Linux host running the Syslog-ng PE server instance has been configured with multiple Virtual IP (VIP) addresses that each have different hostnames than the primary hostname of the Syslog-ng PE host operating system's hostname and the server certificate has not been configured for the additional DNS names and IP addresses.
Example scenario:Hostname of the host running Syslog-ng PE server: Server 1
VIP1: 10.10.1.2VIP Syslog-ng PE hostname: server1
VIP2: 10.10.1.3VIP Syslog-ng PE hostname: server2 -
Resolution
The X509 server certificate must include the additional IP addresses and hostnames within the subject alternate names section of the certificate. The team responsible for certificate creation must ensure that the additional IP addresses and hostnames within the subject alternate names section of the certificate exist and list the correct IP addresses as well as hostnames.
Once the additional IP addresses and hostnames have been added to the certificate that certificate will need to be uploaded to be used by the Syslog-ng PE server.
An example of a configuration file that includes the additional IP addresses and hostnames should look similar to the following example. The example below should not be used and has been created for example purposes only.
[req] default_bits = 4096 default_md = sha256 req_extensions = v3_req keyUsage = keyEncipherment,dataEncipherment basicConstraints = CA:FALSE distinguished_name = dn [ v3_req ] subjectAltName = @alt_names extendedKeyUsage = serverAuth,clientAuth [ alt_names ] DNS.1 = PrimaryHostname.FQDN DNS.2 = HostNameofVIP1.FQDN DNS.3 = HomenameofVIP2.FQDN IP.1 = PrimaryIPAddress IP.2 = IPofVIP1 IP.3 = IPofVIP2