Trying to configure GitHub - duosecurity/duo_log_sync to pull logs out of Duo to our non-splunk SIEM. I would like to use the TCPSSL protocol, but can’t figure out what the “cert_filepath” directive should point to. The docs say:

# Location of the certificate file used for encrypting communication for
# TCPSSL. TCPSSL expects that there are .key and .cert files that store keys. For configuration,
# give path of .cert/.pem file that has keys
# REQUIRED only if protocol is TCPSSL

Usually I don’t see keys and certs stored in the same file. What is the service expecting here? I have tried supplying the server certificate for our SIEM, but that didn’t work.

I have tried supplying the server certificate for our SIEM, but that didn’t work.

Reading through the config template it seems like it should be the cert used to establish the SSL connection to your SIEM. Is your SIEM’s cert self-signed? If not, try providing the full CA chain’s certs in PEM format in the cert file (append multiple cert entries into a single .cert/.pem file).

I’ve tried just the CA chain, CA chain + server cert and the reverse of that, server cert + CA chain. None of them seem to work.

Looking at the code, the only place cert_filepath is used is to set up the ssl connection context (ssl — TLS/SSL wrapper for socket objects — Python 3.10.5 documentation) to your server, passing it as the cafile parameter. And @DuoKristina said what the format of the file should be.

If this is on a Windows system, maybe the line endings in the file need changed?

-Phil

We have a little certificate verification tool that might help. If you run acert against your SIEM host’s port 636, it will spit out the CA chain in PEM format. You could try copying the cert info from acert’s output into the file you specify for cert_filepath to eliminate any possible issue with exporting the chain.

That’s a helpful tool, thanks Kristina! Got it to work with the full CA chain in one file. Thanks!

Glad it helped you get this working!