Problem in using TLS with Server Server Side auth (err 2)

Graylog Central (peer support)
1

Hi,

I set nxlog to send security log to a GrayLog input. It works perfectly using om_tcp but it fails with om_tls.

The nxlog says: “ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)

While I need an encrypted communication, I am not interested in mutual authentication (just server-side auth).
Getting through the documentation ( https://nxlog.co/documentation/nxlog-user-guide/graylog.htm l), I created the following config file:

################
define ROOT /usr/bin

Module xm_gelf ShortMessageLength 65536

User nxlog
Group nxlog

Moduledir /usr/libexec/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/log/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

Module im_file File '/var/log/secure' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message

########################

OUTPUT DEFINITION

########################

** Module om_ssl**
** Host XXXXX**
** Port 12201**
** OutputType GELF_TCP**
** #### => CAFile Readable by nxlog user**
** CAFile /var/log/nxlog/DigiCertCA.crt**
** AllowUntrusted True**
** **
** # These fields are needed for Graylog**
** gl2_source_collector = '{sidecar.nodeId}’;**
** collector_node_id = '{sidecar.nodeName}’;**
** $Hostname = hostname_fqdn();**
** **

Path secureLog => gelf_tls

########

I cannot find a post with a suitable solution to my problem.
Could anyone kindly gives me an advice on this?

Regards,

Bruno

2

you should fix/understand certificates …

The complete error message + nxlog is pointing to this:

the comments (read all) should give you a way to fix that.

3

Many Thanks,

I manage to solve the problem following the link provided by you. For those who need it, I did as follows:

  1. I got all the CA certificates of chain required to verify the certificate used by the graylog input.
  2. I concatenated them into a single file and I put it in my client machine.
  3. I filled the field CAFile of the client’s Input with the path to the CA file.