Botond, I'll write a blog post on this once I've got it working! (for
windows users at least). I've generated an x509 certificate key/private
pair using the following:
openssl req -x509 -nodes -days 365 -subj '/C=GB/ST=London/L=London/CN=
nxlog.fundapps.co' -newkey rsa:
1024 -keyout nxlog_private.pem -out nxlog_public.pem
However, I'm now just back to getting
ERROR SSL certificate verification failed: unable to get local issuer
certificate (err: 20)
I've tried setting
HTTPSAllowUntrusted TRUE
but it still occurs - so am I right in thinking it's still an issue with
our client certificate rather than verifying the external party's CA?
Thanks
J
On 12 September 2013 15:30, Botond Botyanszki <[email protected]> wrote:
> Hi James,
>
> SSL needs x509 certificates. The rsa public key is wrapped into this.
> I know this deserves a tutorial on it's own...
> If you google for "openssl generate x509" this will give you a bunch of
> guides.
> I would give you a script to do that, unfortunately I don't have one
> because we use our nxlog management app that automates all this.
>
> Regards,
> Botond
>
> On Thu, 12 Sep 2013 15:10:50 +0100
> James Crowley <[email protected]> wrote:
>
> > Thanks Botond, appreciate your help. Do you *have* to generate the client
> > SSL key pairs? Is there not one already available on the machine?
> >
> > Apologies if these are really obvious questions - and I realise a little
> > outside of NXlog itself, but I'm struggling to get the key working. I've
> > generated a public and private key pair using OpenSSL
> >
> > openssl genrsa -aes128 -passout pass:SomePassword -out nxlog_private.pem
> > 2048
> > openssl rsa -in nxlog_private.pem -passin pass:SomePassword -pubout -out
> > nxlog_public.pem
> >
> > placed them in the /cert folder and set the config to
> >
> > HTTPSCertFile %CERTDIR%/nxlog_public.pem
> > HTTPSCertKeyFile %CERTDIR%/nxlog_private.pem
> > HTTPSKeyPass SomePassword
> >
> > but keep getting
> >
> > "ERROR SSL error, couldn't read cert, no start line,"
> >
> > from NXLog. As I understand it that's usually because the files don't
> > contain the headers... my public.pem file starts with
> >
> > -----BEGIN PUBLIC KEY-----
> >
> > and the private one starts with
> >
> > -----BEGIN RSA PRIVATE KEY-----
> > Proc-Type: 4,ENCRYPTED
> > DEK-Info: AES-128-CBC,CFB59AFB65500A0CADDE277967C37DF8
> >
> >
> > am I missing something obvious here? Thanks,
> >
> >
> > On 12 September 2013 14:01, Botond Botyanszki <[email protected]> wrote:
> >
> > > Hi,
> > >
> > > HTTPSCertFile and HTTPSCertKeyFile are files you need to generate for
> your
> > > nxlog client.
> > > HTTPSCAFile is the CA certificate of the remote peer.
> > >
> > > Regards,
> > > Botond
> > >
> > >
> > > On Thu, 12 Sep 2013 12:00:08 +0100
> > > James Crowley <[email protected]> wrote:
> > >
> > > > I'm probably failing at a very basic level here, but can anyone
> explain
> > > how
> > > > to get the three keys that seem to be needed for om_http to post to a
> > > > public HTTPS endpoint?
> > > >
> > > > https://collectors.sumologic.com/ is the endpoint we're trying to
> hit. I
> > > > can extract the key for the main SSL site. And the CA key (though
> I'm not
> > > > clear where in the hierarchy this should be).
> > > >
> > > > HTTPSCertFile %CERTDIR%/client-cert.pem
> > > > HTTPSCertKeyFile %CERTDIR%/client-key.pem
> > > > HTTPSCAFile %CERTDIR%/ca.pem
> > > >
> > > >
> > > > but that still leves the CertKeyFile and to be honest I don't know
> enough
> > > > about how HTTPS/SSL handshakes work to figure out how I get these?
> > > >
> > > > Many thanks
> > > >
> > > > James
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > How ServiceNow helps IT people transform IT departments:
> > > 1. Consolidate legacy IT systems to a single system of record for IT
> > > 2. Standardize and globalize service processes across IT
> > > 3. Implement zero-touch automation to replace manual, redundant tasks
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > nxlog-ce-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
> > >
> >
> >
> >
> > --
> >
> > ---
> > James Crowley
> > CTO, FundApps - a new generation in financial services software -
> > http://www.fundapps.co/
> > Founder, developerFusion - the global developer community -
> > http://www.developerfusion.com/
> >
> > linkedin: http://linkedin.com/in/jamescrowley
> > twitter: http://twitter.com/jamescrowley
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> nxlog-ce-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
>
--
---
James Crowley
CTO, FundApps - a new generation in financial services software -
http://www.fundapps.co/
Founder, developerFusion - the global developer community -
http://www.developerfusion.com/
linkedin: http://linkedin.com/in/jamescrowley
twitter: http://twitter.com/jamescrowley
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
