MonitorWare Knowledge Base

I have done a bit debugging in GnuTLS. It looks like the "path name constraint" can not be found in the certificate. Please start regen the CA cert (http://www.rsyslog.com/doc-tls_cert_ca.html) and answer -1 to the path name constraint question. Tell me if that changes anything. I am still a bit puzzled why my certs work, if that's really the culprit...

Disregard my previous message. I don't think it has anything to do with the problem. A signature can not be correctly verified. I once again tried to generate certificates that do not work, but to no avail. Whenever I generate them, they work. {for all others: I received screenshots via private mail of how the failing certs were generated - nothing special with that...}.

I now stand by and see if the GnuTLS guys bring up something...

Rainer

rgerhards wrote:Disregard my previous message.
Rainer

I tried it anyways, and yes it gives the same error.

And thats definately weird considering that certtool --certificate-info is able to pull all the info from the cert.

Lets hope the gnutls guys have seen this problem before.

Hello,
FYI, I managed to get messages traversing syslog via TLS by carefully following your newest documents. Thank you so much for your help!

I'm seeing a couple minor oddities, but I'll look into them myself before posting back here.. the next step is to try to generate the certs with openssl since it seems easier to automate cert generation. Forsee any issues with that?

Thanks again. This is going to help me a lot.

Please keep me posted whenever there is something unclear. After all, the TLS code is quite new and I am now focussed on stabilizing it. Please also have a look at this bug report:

http://bugzilla.adiscon.com/show_bug.cgi?id=83

On openssl, I think that should work. In fact, I was thinking about suggesting to use openssl in those cases where we still have trouble with GnuTLS. However, I do not have clear instructions. I'd appreciate if you could post your commands in case you create the certs with openssl.

I am also thinking about adding a few utilities to create certificates. But I am a bit hesitant, because I think I will mostly end up with what you can do with the standard tools in any case... Thoughts on this issue would be appreciated.

Rainer

Just an update: the problem discussed above was solved via private mail. Thanks to the GnuTLS folks for jumping in. The actual cause was the use of an invalid private key while signing the machine certificate. This has been corrected and all works well now.