Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
solo1
New Contributor III

Created on ‎07-09-2024 04:03 AM Edited on ‎07-09-2024 04:06 AM

SSL encrypted syslog from Fortigate 40F to Syslog Server gives error: Unknown CA

Certificate

 

I am trying to send syslog from my Fortigate 40F firewall to a Syslog Server with SSL encryption but I get error "Unknown CA".

 

Certificate Generation

I have generated a root certificate and a server certificate following the guide found here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Send-Syslog-over-TLS-to-a-rsyslog-server/t...

 

xca.png

I uploaded the certificates to Fortigate Firewall Certificates:

certificates.png

 

 

Then I have the following settings on my Firewall:

acdc-fortigate # config log syslogd settingacdc-fortigate (setting) # show
config log syslogd setting
    set status enable
    set server "34.10.1.5"
    set mode reliable
    set port 6514
    set enc-algorithm high
    set certificate "syslog-servercert"
end


On my collector server where I run LimaCharlie Adapter I get the following error:

 

Jul 09 10:57:30 dev-collector[32395]: FLO Jul 9 10:57:30: last_ack=Jul 9 10:54:10 last_pressure=Jul 9 10:54:10
Jul 09 10:57:33 dev-collector[32395]: DBG Jul 9 10:57:33: handling new connection from 38.10.23.18:49874
Jul 09 10:57:33 dev-collector[32395]: WRN Jul 9 10:57:33: conn.Read(): remote error: tls: unknown certificate authority
Jul 09 10:57:33 dev-collector[32395]: DBG Jul 9 10:57:33: connection from 38.10.23.18:49874 leaving

 

This is confirmed from Wireshark TC dump on server:

 

  • TLSv1.2 73 Alert (Level: Fatal, Description: Unknown CA)

wireshark.png

 

Summary

My suggestion is that there is something wrong with the certificate I have generated by following the tutorial https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/320832/creating-certificates...

Anyone have any suggestion on how to fix this issue?

Labels:
477
0 Kudos
7 REPLIES 7
smaruvala
Staff
Staff

Created on ‎07-09-2024 05:15 AM

Hi,

 

- What is the SNI value which the firewall is sending the client hello packet?

- What is the server cert which you are getting as per the server hello and the CA which signed the certificate?

 

You may have to expand the capture and show the details of the client hello and certificate.

 

Regards,

Shiva

447
solo1
New Contributor III

Created on ‎07-09-2024 09:18 AM

What is the SNI value which the firewall is sending the client hello packet?

There is no SNI value ssl.handshake.extensions_server_name in the client hello.

client hello.png

 

What is the server cert which you are getting as per the server hello and the CA which signed the certificate?

From Server Hello I see that I get the 'ACD_FGT' certificate.

 

server hello.png

419
0 Kudos
smaruvala
Staff
Staff
In response to solo1

Created on ‎07-09-2024 10:59 PM

Hi,

 

Can you please expand the issuer field as well?

 

Regards,

Shiva

370
solo1
New Contributor III

Created on ‎07-10-2024 12:41 AM Edited on ‎07-10-2024 12:23 PM

Issuer field from server hello

issuer.png

354
0 Kudos
smaruvala
Staff
Staff
In response to solo1

Created on ‎07-10-2024 01:01 AM

Hi, 

 

Is A_CA a intermidiate CA? I can see that there is a difference in common name. You can export the packet bytes of the capture and save it is a crt file and open it and verify the certificate. Please check if "X509v3 Basic Constraints:" Marked as "CA:TRUE"

 

Regards,

Shiva

347
pminarik
Staff
Staff
In response to solo1

Created on ‎07-10-2024 02:51 AM Edited on ‎07-10-2024 02:53 AM

The screenshot is confusing.

rdnSequence says the issuer's CN is "A_CA"
the individual entry shows the CN is "ADVANIACDC_CA"

 

Can you download that cert and confirm which is it? (it can't be both, that's too weird).

Right-click the "Certificate [truncated]" line -> Export Packet bytes -> save this somewhere as a file with a .cer extension, then open and inspect it as usual.

[ corrections always welcome ]
312
binolmi
New Contributor

Created on ‎07-10-2024 04:08 AM

the same as UDP syslog in that logstash/syslog sees it as one big line for numerous log entries. I have logstash writing it to a log file and I do see data so its being encrypted, but if you tail just one line of the log file, it runs

https://xender.vip/
https://xender.vip/
303
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.