Simplifying CA handling in syslog-ng TLS connections

When talking to users about the TLS-encrypted message transfer, almost everyone immediately complains about configuring a certificate authority (CA) in syslog-ng. You needed to create a hash and create a symbolic link to the CA file based on the hash. Not anymore. While this old method is still available, there is now a much easier way: the new ca-file() option.

Before you begin

To be able to use the new ca-file() option, you need syslog-ng 3.27 or later. Some distros already have it in their official repositories, others carry older versions. For some of the most popular Linux distributions, you can use 3rd party repositories to install an up-to-date syslog-ng. Check for details.

TLS encryption and thus the ca-dir() option were added to syslog-ng even before I joined Balabit, so well over a decade ago. On the other hand, it took another few years, before syslog-ng was compiled with TLS support by default. If you recall the good old times: syslog-ng was in /sbin while openssl was installed under /usr, which for historic reasons could reside on a different partition. This restriction was lifted in distros and soon after openssl became a mandatory dependency around syslog-ng 3.8. To make a long story short, TLS and the old ca-dir() method might work with syslog-ng version 3.0+ and definitely available in syslog-ng 3.8+.

Using ca-dir()

The old way of referring to a CA file from the syslog-ng configuration was the use of a ca-dir(). In this case, you did not refer to the file containing CA information directly, but rather to the directory. And referring to the directory was not enough. As mentioned earlier you needed to create a hash of the CA file and create a symbolic link to the CA file based on the hash. If the file was called /etc/syslog-ng/ca.d/cacert.pem then the following commands were necessary:

# cd /etc/syslog-ng/ca.d/
# openssl x509 -noout -hash -in cacert.pem
# ln -s cacert.pem 2704bf71.0

Note that the hash is different for each file and when you create the link, you need to append a .0 to the end of the file name.

While it is well documented and not terribly difficult, still it led to many problems and confusion.

Using ca-file()

Starting with syslog-ng version 3.27, you can use the ca-file() option for the TLS connections instead of ca-dir(). In this case, you need to provide the full path to the CA file instead of the directory.


And you are done, no other external commands are necessary.

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at On Twitter, I am available as @PCzanik.

Related Content