Mailing List Archive

you cannot do both encrypted and unencrypted traffic on the same port, you have
to pick which you use. If you try to do a health check to that port, you will
either get an error like you are describing, or you will need to do the check
via TLS.

depending on how you have rsyslog configured, it may or may not require a client
cert.

David Lang


On Thu, 6 Jul 2023, Andrew Cowan via rsyslog wrote:

> Hi,
>
> I am getting the below error messages on my rsyslog server.
>
> verify error:num=20:unable to get local issuer certificate
>
> verify error:num=21:unable to verify the first certificate
>
> TLS connection doesn't appear to be working from client -> rsyslog server on 6514.
>
> Looks like a TLS handshake issue, and maybe unable to establish an encrypted channel.
>
> Questions.
>
>
> 1. Is there anyway to disable to test. Can send on unencrypted UDP/TCP ok between client/server.
>
>
> 1. Does the client need a cert. My understanding is it only needs the CA cert?
>
> Any help appreciated.
>
> Thanks,
> Andrew
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Yep, I get that.

Using TCP 6514 as encrypted
and TCP 514 as unencrypted

I would like to configure it so it doesn't require a client cert. I am more interested that the channel is encrypted between client and server. Not worried about mutual auth etc.

Thanks,
Andrew
________________________________
From: David Lang <david@lang.hm>
Sent: Friday, 7 July 2023 11:44 am
To: Andrew Cowan via rsyslog <rsyslog@lists.adiscon.com>
Cc: Andrew Cowan <cowan_andrew@hotmail.com>
Subject: Re: [rsyslog] TLS errors with rsyslog

you cannot do both encrypted and unencrypted traffic on the same port, you have
to pick which you use. If you try to do a health check to that port, you will
either get an error like you are describing, or you will need to do the check
via TLS.

depending on how you have rsyslog configured, it may or may not require a client
cert.

David Lang


On Thu, 6 Jul 2023, Andrew Cowan via rsyslog wrote:

> Hi,
>
> I am getting the below error messages on my rsyslog server.
>
> verify error:num=20:unable to get local issuer certificate
>
> verify error:num=21:unable to verify the first certificate
>
> TLS connection doesn't appear to be working from client -> rsyslog server on 6514.
>
> Looks like a TLS handshake issue, and maybe unable to establish an encrypted channel.
>
> Questions.
>
>
> 1. Is there anyway to disable to test. Can send on unencrypted UDP/TCP ok between client/server.
>
>
> 1. Does the client need a cert. My understanding is it only needs the CA cert?
>
> Any help appreciated.
>
> Thanks,
> Andrew
> _______________________________________________
> rsyslog mailing list
> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7C%7C1927cc770e2e4857550908db7e7aefb0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638242838722145658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oTWPxlzfhoS96jWIMN3M%2Ftw2MOnLrSUmZSuIuRphUn4%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog>
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C01%7C%7C1927cc770e2e4857550908db7e7aefb0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638242838722145658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CV6HYGfua94VvJhcNy8l7BtOlRN2bPjgl%2BYVyWJbDGc%3D&reserved=0<http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C01%7C%7C1927cc770e2e4857550908db7e7aefb0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638242838722145658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iig0PP7SON59NJGoByk%2B3lkd6hoGB%2FVS6Uh3F4m81vc%3D&reserved=0<https://twitter.com/rgerhards>
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.