I try on my (central) rsyslog server to set up a certificate authority (CA) and the certificates for the clients.
I follow the steps from the following very interesting and useful documentation pages:
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_ca.html
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_machine.html
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_server.html
but unfortunately I do not have the expected result.
For some reason the (self-signed) CA certificate is not accepted from rsyslog.
## Server
```The logs as I generated it
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
```
```logs
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name:
UID:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6938417459922577638):
Activation/Expiration time.
The certificate will expire in (days): 1000
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 604a35eb220da8e6
Validity:
Not Before: Thu Mar 11 15:23:24 UTC 2021
Not After: Wed Dec 06 15:23:28 UTC 2023
Subject:
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:da:ae:33:95:48:8b:9d:27:4d:d6:80:a6:2d:c0:40
3c:7d:6a:c6:64:c2:e2:23:f9:42:e1:2d:32:56:d3:ba
[ ...... ]
2f:68:d2:d9:73:a1:31:09:d6:05:18:ed:20:06:45:8b
9b
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Alternative Name (not critical):
RFC822Name:
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
7b34103e9dc02d497d78c303fc547f78d6f6318d
Other Information:
Public Key ID:
7b34103e9dc02d497d78c303fc547f78d6f6318d
Public key's random art:
+--[ RSA 2048]----+
| o+=.+ .. |
[ ... ]
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
```
```
chmod 400 ca-key.pem
```
## Client
```
certtool --generate-privkey --outfile key.pem
```
```
certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Common name:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this a TLS web server certificate? (y/N): y
```
```
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 6938404153755168037):
Activation/Expiration time.
The certificate will expire in (days): 1000
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
[...]
Is the above information ok? (y/N): y
Signing certificate...
```
After that I config my (centra) rsyslog to read the certificates:
```/etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /root/rsyslog-server/ca.pem
$DefaultNetstreamDriverCertFile /root/rsyslog-server/cert.pem
$DefaultNetstreamDriverKeyFile /root/rsyslog-server/key.pem
```
```
rsyslogd -N1
rsyslogd: version 8.24.0-57.el7_9, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
```
```# systemctl status rsyslog -l
? rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-03-11 17:26:01 EET; 2s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 6693 (rsyslogd)
CGroup: /system.slice/rsyslog.service
??6693 /usr/sbin/rsyslogd -n
Mar 11 17:26:01 testVM systemd[1]: Starting System Logging Service...
Mar 11 17:26:01 testVM rsyslogd[6693]: [origin software="rsyslogd" swVersion="8.24.0-57.el7_9" x-pid="6693" x-info="http://www.rsyslog.com"] start
Mar 11 17:26:01 testVM rsyslogd[6693]: error reading certificate file '/root/rsyslog-server/ca.pem' - a common cause is that the file does not exist [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2078 ]
Mar 11 17:26:01 testVM rsyslogd[6693]: could not load module '/usr/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078 [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
Mar 11 17:26:01 testVM systemd[1]: Started System Logging Service.
Mar 11 17:26:01 testVM rsyslogd[6693]: tcpsrv could not create listener (inputname: 'imtcp') [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
Mar 11 17:26:01 testVM rsyslogd[6693]: activation of module imtcp failed [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
```
```ls -alh /root/rsyslog-server/ca.pem
-rw-r--r--. 1 root root 1.5K Mar 11 17:24 /root/rsyslog-server/ca.pem
```
I do not understand why this is happening. I can not find the problem.
Where is the problem ?
I want to create a pair of certificates for all my machines (not separately for each machine).
These machines may have completely different domain names but I want all of them to send their logs with the same certificate (for convenience) to a central rsyslog machine.
* Central rsyslog VM OS : CentOS 7
Thanks in advance.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I follow the steps from the following very interesting and useful documentation pages:
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_ca.html
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_machine.html
* https://www.rsyslog.com/doc/master/tutorials/tls_cert_server.html
but unfortunately I do not have the expected result.
For some reason the (self-signed) CA certificate is not accepted from rsyslog.
## Server
```The logs as I generated it
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
```
```logs
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name:
UID:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6938417459922577638):
Activation/Expiration time.
The certificate will expire in (days): 1000
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 604a35eb220da8e6
Validity:
Not Before: Thu Mar 11 15:23:24 UTC 2021
Not After: Wed Dec 06 15:23:28 UTC 2023
Subject:
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:da:ae:33:95:48:8b:9d:27:4d:d6:80:a6:2d:c0:40
3c:7d:6a:c6:64:c2:e2:23:f9:42:e1:2d:32:56:d3:ba
[ ...... ]
2f:68:d2:d9:73:a1:31:09:d6:05:18:ed:20:06:45:8b
9b
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Alternative Name (not critical):
RFC822Name:
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
7b34103e9dc02d497d78c303fc547f78d6f6318d
Other Information:
Public Key ID:
7b34103e9dc02d497d78c303fc547f78d6f6318d
Public key's random art:
+--[ RSA 2048]----+
| o+=.+ .. |
[ ... ]
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
```
```
chmod 400 ca-key.pem
```
## Client
```
certtool --generate-privkey --outfile key.pem
```
```
certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Common name:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this a TLS web server certificate? (y/N): y
```
```
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 6938404153755168037):
Activation/Expiration time.
The certificate will expire in (days): 1000
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
[...]
Is the above information ok? (y/N): y
Signing certificate...
```
After that I config my (centra) rsyslog to read the certificates:
```/etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /root/rsyslog-server/ca.pem
$DefaultNetstreamDriverCertFile /root/rsyslog-server/cert.pem
$DefaultNetstreamDriverKeyFile /root/rsyslog-server/key.pem
```
```
rsyslogd -N1
rsyslogd: version 8.24.0-57.el7_9, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
```
```# systemctl status rsyslog -l
? rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-03-11 17:26:01 EET; 2s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 6693 (rsyslogd)
CGroup: /system.slice/rsyslog.service
??6693 /usr/sbin/rsyslogd -n
Mar 11 17:26:01 testVM systemd[1]: Starting System Logging Service...
Mar 11 17:26:01 testVM rsyslogd[6693]: [origin software="rsyslogd" swVersion="8.24.0-57.el7_9" x-pid="6693" x-info="http://www.rsyslog.com"] start
Mar 11 17:26:01 testVM rsyslogd[6693]: error reading certificate file '/root/rsyslog-server/ca.pem' - a common cause is that the file does not exist [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2078 ]
Mar 11 17:26:01 testVM rsyslogd[6693]: could not load module '/usr/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078 [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
Mar 11 17:26:01 testVM systemd[1]: Started System Logging Service.
Mar 11 17:26:01 testVM rsyslogd[6693]: tcpsrv could not create listener (inputname: 'imtcp') [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
Mar 11 17:26:01 testVM rsyslogd[6693]: activation of module imtcp failed [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ]
```
```ls -alh /root/rsyslog-server/ca.pem
-rw-r--r--. 1 root root 1.5K Mar 11 17:24 /root/rsyslog-server/ca.pem
```
I do not understand why this is happening. I can not find the problem.
Where is the problem ?
I want to create a pair of certificates for all my machines (not separately for each machine).
These machines may have completely different domain names but I want all of them to send their logs with the same certificate (for convenience) to a central rsyslog machine.
* Central rsyslog VM OS : CentOS 7
Thanks in advance.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.