Mailing List Archive: rsyslogd: error adding our certificate. GnuTLS error -64.

Hi,
I am trying to do rsyslog with TLS connection with a remote server.

I am able to run rsyslog server with TLS successfully.
But in the Rsyslog client side I am getting certificates loading errors.

Here is the configuration and logs info:
*Rsyslog-server-configuration:*
administrator@ubuntu-2:~$ cat /etc/rsyslog.d/logserver.conf
$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog/rslserver-key.pem

$ModLoad imtcp

$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer
dhcp-blr-kmgm-blk2-4fl-6fl-client-ip.in.oracle.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

$InputTCPServerRun 10514

# Increase the amount of open files rsyslog is allowed, which includes open
tcp sockets
# This is important if there are many clients.
# http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
$MaxOpenFiles 2048
administrator@ubuntu-2:~$

*Rsyslog-client-configuration:*
administrator@ubutnu:~/rsyslog-certificates$ cat
/etc/rsyslog.d/log-client.conf

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog/rslclient-key.pem

$ActionSendStreamDriverPermittedPeer
dhcp-blr-kmgm-blk2-4fl-6fl-remote-ip.in.oracle.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name

*.* @@<remote-ip>:10514
administrator@ubuntu:~/rsyslog-certificates$

*Getting Error logs on the client side.*
*/var/log/rsyslog*

*May 18 13:14:52 Ubuntu rsyslogd: rsyslogd's groupid changed to 104May 18
13:14:52 Ubuntu rsyslogd: rsyslogd's userid changed to 101May 18 13:14:52
Ubuntu rsyslogd: [origin software="rsyslogd"
swVersion="8.2206.0.c74f5c8523ef" x-pid="8898"
x-info="https://www.rsyslog.com <https://www.rsyslog.com/>"] startMay 18
13:14:54 Ubuntu rsyslogd: error reading file - a common cause is that the
file does not exist [v8.2206.0.c74f5c8523ef
try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
13:14:54 Ubuntu rsyslogd: error adding our certificate. GnuTLS error -64,
message: 'Error while reading file.', key:
'/etc/rsyslog/rslclient-key.pem', cert: '/etc/rsyslog/rslclient-cert.pem'
[v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
<https://www.rsyslog.com/e/2078> ]May 18 13:14:54 Ubuntu rsyslogd: action
'action-11-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0.
There should be messages before this one giving the reason for suspension.
[v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2007
<https://www.rsyslog.com/e/2007> ]May 18 13:14:55 Ubuntu rsyslogd: error
reading file - a common cause is that the file does not exist
[v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
<https://www.rsyslog.com/e/2078> ]May 18 13:14:55 Ubuntu rsyslogd: error
adding our certificate. GnuTLS error -64, message: 'Error while reading
file.', key: '/etc/rsyslog/rslclient-key.pem', cert:
'/etc/rsyslog/rslclient-cert.pem' [v8.2206.0.c74f5c8523ef
try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
13:14:55 Ubuntu rsyslogd: action 'action-11-builtin:omfwd' suspended
(module 'builtin:omfwd'), next retry is Wed May 18 13:15:25 2022, retry nbr
0. There should be messages before this one giving the reason for
suspension. [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2007
<https://www.rsyslog.com/e/2007> ]May 18 13:15:00 Ubuntu rsyslogd: error
reading file - a common cause is that the file does not exist
[v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
<https://www.rsyslog.com/e/2078> ]May 18 13:15:00 Ubuntu rsyslogd: error
adding our certificate. GnuTLS error -64, message: 'Error while reading
file.', key: '/etc/rsyslog/rslclient-key.pem', cert:
'/etc/rsyslog/rslclient-cert.pem' [v8.2206.0.c74f5c8523ef
try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
13:15:00 Ubuntu rsyslogd: action 'action-11-builtin:omfwd' suspended
(module 'builtin:omfwd'), retry 1. There should be messages before this one
giving the reason for suspension. [v8.2206.0.c74f5c8523ef
try https://www.rsyslog.com/e/2007 <https://www.rsyslog.com/e/2007> ]May 18
13:15:05 Ubuntu rsyslogd: error reading file - a common cause is that the
file does not exist [v8.2206.0.c74f5c8523ef
try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
13:15:05 Ubuntu rsyslogd: error adding our certificate. GnuTLS error -64,
message: 'Error while reading file.', key:
'/etc/rsyslog/rslclient-key.pem', cert: '/etc/rsyslog/rslclient-cert.pem'
[v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
<https://www.rsyslog.com/e/2078> ]*

Please help me to fix this issue if anything i missed.

Thanks and Regards,
Sachin
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Unfortunately, this is all we know. GnuTLS is notoriously bad in
reporting the actual trouble cause.

I suggest switching to the openssl (ossl) driver, which provides much
better error reporting. It usually is included in it's own package
(e.g. rsyslog-ossl or rsyslog-openssl).

HTH
Rainer

El mié, 18 may 2022 a las 10:40, sachin sachu via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi,
> I am trying to do rsyslog with TLS connection with a remote server.
>
> I am able to run rsyslog server with TLS successfully.
> But in the Rsyslog client side I am getting certificates loading errors.
>
> Here is the configuration and logs info:
> *Rsyslog-server-configuration:*
> administrator@ubuntu-2:~$ cat /etc/rsyslog.d/logserver.conf
> $DefaultNetstreamDriver gtls
>
> $DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog/rslserver-cert.pem
> $DefaultNetstreamDriverKeyFile /etc/rsyslog/rslserver-key.pem
>
> $ModLoad imtcp
>
> $InputTCPServerStreamDriverAuthMode anon
> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
>
> $ActionSendStreamDriverAuthMode x509/name
> $ActionSendStreamDriverPermittedPeer
> dhcp-blr-kmgm-blk2-4fl-6fl-client-ip.in.oracle.com
> $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
>
> $InputTCPServerRun 10514
>
> # Increase the amount of open files rsyslog is allowed, which includes open
> tcp sockets
> # This is important if there are many clients.
> # http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
> $MaxOpenFiles 2048
> administrator@ubuntu-2:~$
>
> *Rsyslog-client-configuration:*
> administrator@ubutnu:~/rsyslog-certificates$ cat
> /etc/rsyslog.d/log-client.conf
>
> $DefaultNetstreamDriver gtls
>
> $DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog/rslclient-cert.pem
> $DefaultNetstreamDriverKeyFile /etc/rsyslog/rslclient-key.pem
>
> $ActionSendStreamDriverPermittedPeer
> dhcp-blr-kmgm-blk2-4fl-6fl-remote-ip.in.oracle.com
> $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
> $ActionSendStreamDriverAuthMode x509/name
>
> *.* @@<remote-ip>:10514
> administrator@ubuntu:~/rsyslog-certificates$
>
> *Getting Error logs on the client side.*
> */var/log/rsyslog*
>
>
>
>
>
>
>
>
>
>
>
>
>
> *May 18 13:14:52 Ubuntu rsyslogd: rsyslogd's groupid changed to 104May 18
> 13:14:52 Ubuntu rsyslogd: rsyslogd's userid changed to 101May 18 13:14:52
> Ubuntu rsyslogd: [origin software="rsyslogd"
> swVersion="8.2206.0.c74f5c8523ef" x-pid="8898"
> x-info="https://www.rsyslog.com <https://www.rsyslog.com/>"] startMay 18
> 13:14:54 Ubuntu rsyslogd: error reading file - a common cause is that the
> file does not exist [v8.2206.0.c74f5c8523ef
> try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
> 13:14:54 Ubuntu rsyslogd: error adding our certificate. GnuTLS error -64,
> message: 'Error while reading file.', key:
> '/etc/rsyslog/rslclient-key.pem', cert: '/etc/rsyslog/rslclient-cert.pem'
> [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
> <https://www.rsyslog.com/e/2078> ]May 18 13:14:54 Ubuntu rsyslogd: action
> 'action-11-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0.
> There should be messages before this one giving the reason for suspension.
> [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2007
> <https://www.rsyslog.com/e/2007> ]May 18 13:14:55 Ubuntu rsyslogd: error
> reading file - a common cause is that the file does not exist
> [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
> <https://www.rsyslog.com/e/2078> ]May 18 13:14:55 Ubuntu rsyslogd: error
> adding our certificate. GnuTLS error -64, message: 'Error while reading
> file.', key: '/etc/rsyslog/rslclient-key.pem', cert:
> '/etc/rsyslog/rslclient-cert.pem' [v8.2206.0.c74f5c8523ef
> try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
> 13:14:55 Ubuntu rsyslogd: action 'action-11-builtin:omfwd' suspended
> (module 'builtin:omfwd'), next retry is Wed May 18 13:15:25 2022, retry nbr
> 0. There should be messages before this one giving the reason for
> suspension. [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2007
> <https://www.rsyslog.com/e/2007> ]May 18 13:15:00 Ubuntu rsyslogd: error
> reading file - a common cause is that the file does not exist
> [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
> <https://www.rsyslog.com/e/2078> ]May 18 13:15:00 Ubuntu rsyslogd: error
> adding our certificate. GnuTLS error -64, message: 'Error while reading
> file.', key: '/etc/rsyslog/rslclient-key.pem', cert:
> '/etc/rsyslog/rslclient-cert.pem' [v8.2206.0.c74f5c8523ef
> try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
> 13:15:00 Ubuntu rsyslogd: action 'action-11-builtin:omfwd' suspended
> (module 'builtin:omfwd'), retry 1. There should be messages before this one
> giving the reason for suspension. [v8.2206.0.c74f5c8523ef
> try https://www.rsyslog.com/e/2007 <https://www.rsyslog.com/e/2007> ]May 18
> 13:15:05 Ubuntu rsyslogd: error reading file - a common cause is that the
> file does not exist [v8.2206.0.c74f5c8523ef
> try https://www.rsyslog.com/e/2078 <https://www.rsyslog.com/e/2078> ]May 18
> 13:15:05 Ubuntu rsyslogd: error adding our certificate. GnuTLS error -64,
> message: 'Error while reading file.', key:
> '/etc/rsyslog/rslclient-key.pem', cert: '/etc/rsyslog/rslclient-cert.pem'
> [v8.2206.0.c74f5c8523ef try https://www.rsyslog.com/e/2078
> <https://www.rsyslog.com/e/2078> ]*
>
>
> Please help me to fix this issue if anything i missed.
>
> Thanks and Regards,
> Sachin
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.