Mailing List Archive: Rsyslog - TLS with multiple certificate chains

Hi there,

we've issued a TLS certificate from our internal standalone PKI and
configured it and the corresponding certificate chain to use syslog-TLS
with rsyslog.

Everything works fine so far. We receiving TLS encrypted syslog from
devices which are capable to send via encrypted syslog.

Now we have a new requirement.

We have a certain client device we want to connect to our rsyslog but
this device has a certificate from a public PKI. We cannot change the
certificate on the client site because the certificate there is needed
for other purposes.

We have to adapt on the receiver site.
I've tried to put all certificates in the same CA file for
"DefaultNetstreamDriverCAFile" but rsyslog seems to pick just one of
them to represent it to the client.

I keep getting the error "not permitted to talk to peer, certificate
invalid: signer not found" in the rsyslog log.

Is it even possible to have multiple certificate chains or is just one
chain supported?

Kind regards

R. Moeller

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

DefaultNetstreamDriverCAFile should contain just a single CA as far as I
remember.

With sufficiently new version of rsyslog you should be able to set
streamDriver.CAFile parameter (I assume you're talking about imtcp
module; for imrelp there is an equivalent parameter).

On 23.05.2023 16:39, rsyslog--- via rsyslog wrote:
> Hi there,
>
> we've issued a TLS certificate from our internal standalone PKI and
> configured it and the corresponding certificate chain to use
> syslog-TLS with rsyslog.
>
> Everything works fine so far. We receiving TLS encrypted syslog from
> devices which are capable to send via encrypted syslog.
>
> Now we have a new requirement.
>
> We have a certain client device we want to connect to our rsyslog but
> this device has a certificate from a public PKI. We cannot change the
> certificate on the client site because the certificate there is needed
> for other purposes.
>
> We have to adapt on the receiver site.
> I've tried to put all certificates in the same CA file for
> "DefaultNetstreamDriverCAFile" but rsyslog seems to pick just one of
> them to represent it to the client.
>
> I keep getting the error "not permitted to talk to peer, certificate
> invalid: signer not found" in the rsyslog log.
>
> Is it even possible to have multiple certificate chains or is just one
> chain supported?
>
> Kind regards
>
> R. Moeller
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.