Mailing List Archive

on many systems, the permissions of a program started at boot are no longer
simple root (systemd is being configured to to retrict the programs
significantly

So I would suggest that you try starting rsyslog as root manually and see if
that avoids this error message. If so, then it's a difference in the permissions
when run as root vs when started at boot.

David Lang

On Mon, 5 Feb 2024, Garry Allen via rsyslog wrote:

> I am trying to get Ubuntu 22.04 rsyslog clients to connect to a Red Hat 8.8
> rsyslog server using RELP over TLS. The Red Hat server has been configured
> using the guidelines supplied by Red Hat. Both client and server have
> certificates issued by a common certificate authority.. The Ubuntu client
> is running apparmor. However the local apparmor config for rsyslog has been
> updated to include the client certificate path with the root permission set
> to r in the apparmor config.
> I can do an openssl s_client -connect to the rsyslog server with the
> CAfile, client certificate and key for the rsyslog client. When I attempt
> to start the rsyslog service I am getting
> "omrelp[server-FQDN:server port} error 'relpTcpInitTLS: Error CA
> certificate could not be accessed. Is the file at the right path ? And do
> we have the permissions?....."
>
> I have tried putting apparmor into complain mode and stopping the apparmor
> service altogether. Neither had any effect.
> Is it something to do with the hostname and subjectAltName. The machine
> does have a FQDN rather than a short hostname but it looks like the
> hostname used by rsyslog is the short Ubuntu hostname. Im looking for
> suggestions.
> thanks
> Garry
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks David
I have tried running it with ryslogd -n as root but it gives the same error
message. I made sure before running it that the rsyslog service and the
syslog socket were stopped but it gives the same error. I should also say
that I have switched to openssl when the omrelp module is loaded. It
appears to be very similar to this question asked on stackoverflow at the
start of January
ubuntu with syslog with TLS and RELP certificate error
<https://stackoverflow.com/questions/77771294/syslog-with-tls-and-relp-certificate-error-issues>
Garry


On Mon, Feb 5, 2024 at 3:49?PM David Lang <david@lang.hm> wrote:

> on many systems, the permissions of a program started at boot are no
> longer
> simple root (systemd is being configured to to retrict the programs
> significantly
>
> So I would suggest that you try starting rsyslog as root manually and see
> if
> that avoids this error message. If so, then it's a difference in the
> permissions
> when run as root vs when started at boot.
>
> David Lang
>
> On Mon, 5 Feb 2024, Garry Allen via rsyslog wrote:
>
> > I am trying to get Ubuntu 22.04 rsyslog clients to connect to a Red Hat
> 8.8
> > rsyslog server using RELP over TLS. The Red Hat server has been
> configured
> > using the guidelines supplied by Red Hat. Both client and server have
> > certificates issued by a common certificate authority.. The Ubuntu client
> > is running apparmor. However the local apparmor config for rsyslog has
> been
> > updated to include the client certificate path with the root permission
> set
> > to r in the apparmor config.
> > I can do an openssl s_client -connect to the rsyslog server with the
> > CAfile, client certificate and key for the rsyslog client. When I attempt
> > to start the rsyslog service I am getting
> > "omrelp[server-FQDN:server port} error 'relpTcpInitTLS: Error CA
> > certificate could not be accessed. Is the file at the right path ? And do
> > we have the permissions?....."
> >
> > I have tried putting apparmor into complain mode and stopping the
> apparmor
> > service altogether. Neither had any effect.
> > Is it something to do with the hostname and subjectAltName. The machine
> > does have a FQDN rather than a short hostname but it looks like the
> > hostname used by rsyslog is the short Ubuntu hostname. Im looking for
> > suggestions.
> > thanks
> > Garry
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

The error is very clear that rsyslog is not able to read the file, so either you
have the wrong path, or there is a permission problem (classic/apparmor/selinux
permissions)

If you enable debug logging and capture that, you can go through it looking for
the error message and see exactly what it's trying to access (to make sure it's
trying to access what you think it is)

David Lang


On Mon, 5 Feb 2024, Garry Allen wrote:

> Thanks David
> I have tried running it with ryslogd -n as root but it gives the same error
> message. I made sure before running it that the rsyslog service and the
> syslog socket were stopped but it gives the same error. I should also say
> that I have switched to openssl when the omrelp module is loaded. It
> appears to be very similar to this question asked on stackoverflow at the
> start of January
> ubuntu with syslog with TLS and RELP certificate error
> <https://stackoverflow.com/questions/77771294/syslog-with-tls-and-relp-certificate-error-issues>
> Garry
>
>
> On Mon, Feb 5, 2024 at 3:49?PM David Lang <david@lang.hm> wrote:
>
>> on many systems, the permissions of a program started at boot are no
>> longer
>> simple root (systemd is being configured to to retrict the programs
>> significantly
>>
>> So I would suggest that you try starting rsyslog as root manually and see
>> if
>> that avoids this error message. If so, then it's a difference in the
>> permissions
>> when run as root vs when started at boot.
>>
>> David Lang
>>
>> On Mon, 5 Feb 2024, Garry Allen via rsyslog wrote:
>>
>>> I am trying to get Ubuntu 22.04 rsyslog clients to connect to a Red Hat
>> 8.8
>>> rsyslog server using RELP over TLS. The Red Hat server has been
>> configured
>>> using the guidelines supplied by Red Hat. Both client and server have
>>> certificates issued by a common certificate authority.. The Ubuntu client
>>> is running apparmor. However the local apparmor config for rsyslog has
>> been
>>> updated to include the client certificate path with the root permission
>> set
>>> to r in the apparmor config.
>>> I can do an openssl s_client -connect to the rsyslog server with the
>>> CAfile, client certificate and key for the rsyslog client. When I attempt
>>> to start the rsyslog service I am getting
>>> "omrelp[server-FQDN:server port} error 'relpTcpInitTLS: Error CA
>>> certificate could not be accessed. Is the file at the right path ? And do
>>> we have the permissions?....."
>>>
>>> I have tried putting apparmor into complain mode and stopping the
>> apparmor
>>> service altogether. Neither had any effect.
>>> Is it something to do with the hostname and subjectAltName. The machine
>>> does have a FQDN rather than a short hostname but it looks like the
>>> hostname used by rsyslog is the short Ubuntu hostname. Im looking for
>>> suggestions.
>>> thanks
>>> Garry
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks David
it was a directory and files permission issue
So in the directory containing my ca, client certificate and private keys
file
chown root:syslog *.pem
chmod 640 *.pem

And then the containing directory
chown root:syslog /etc/<path to directory>
chmod 750 /etc/<path to directory>

followed by
systemctl restart rsyslog

And it appears to be connecting correctly and transferring logs

And for the output part of the rsyslog.conf file

# start of the omrelp configuration
module (load="omrelp" tls.tlslib="openssl")
ruleset( name="to_remote_relp_tls" )
{
action( type="omrelp"

target = "<IP or FQDN of rsyslog server>"
port = "<destination port>"

# and queue to disk if needs be
queue.filename="relp_tls_fwd"
queue.type="LinkedList"
queue.saveonshutdown="on"
queue.maxdiskspace="1g"

action.resumeretrycount="-1"
action.reportsuspension="on"

# and send over encrypted link always
tls="on"

# currently rsyslog cannot provide intermediates from server end
# so we need the full chain wherever validation is required
tls.cacert = "/etc/pki/tls/syslog/ca.pem"
tls.mycert = "/etc/pki/tls/syslog/cert.pem"
tls.myprivkey = "/etc/pki/tls/syslog/key.pem"

# tls.authmode="x509/name"
tls.authmode="name"
tls.permittedpeer=["<IP or FQDN of destination server>"]

)
}

call to_remote_relp_tls
# end of omrelp configuration

Garry

On Mon, Feb 5, 2024 at 4:42?PM David Lang <david@lang.hm> wrote:

> The error is very clear that rsyslog is not able to read the file, so
> either you
> have the wrong path, or there is a permission problem
> (classic/apparmor/selinux
> permissions)
>
> If you enable debug logging and capture that, you can go through it
> looking for
> the error message and see exactly what it's trying to access (to make sure
> it's
> trying to access what you think it is)
>
> David Lang
>
>
> On Mon, 5 Feb 2024, Garry Allen wrote:
>
> > Thanks David
> > I have tried running it with ryslogd -n as root but it gives the same
> error
> > message. I made sure before running it that the rsyslog service and the
> > syslog socket were stopped but it gives the same error. I should also say
> > that I have switched to openssl when the omrelp module is loaded. It
> > appears to be very similar to this question asked on stackoverflow at the
> > start of January
> > ubuntu with syslog with TLS and RELP certificate error
> > <
> https://stackoverflow.com/questions/77771294/syslog-with-tls-and-relp-certificate-error-issues
> >
> > Garry
> >
> >
> > On Mon, Feb 5, 2024 at 3:49?PM David Lang <david@lang.hm> wrote:
> >
> >> on many systems, the permissions of a program started at boot are no
> >> longer
> >> simple root (systemd is being configured to to retrict the programs
> >> significantly
> >>
> >> So I would suggest that you try starting rsyslog as root manually and
> see
> >> if
> >> that avoids this error message. If so, then it's a difference in the
> >> permissions
> >> when run as root vs when started at boot.
> >>
> >> David Lang
> >>
> >> On Mon, 5 Feb 2024, Garry Allen via rsyslog wrote:
> >>
> >>> I am trying to get Ubuntu 22.04 rsyslog clients to connect to a Red Hat
> >> 8.8
> >>> rsyslog server using RELP over TLS. The Red Hat server has been
> >> configured
> >>> using the guidelines supplied by Red Hat. Both client and server have
> >>> certificates issued by a common certificate authority.. The Ubuntu
> client
> >>> is running apparmor. However the local apparmor config for rsyslog has
> >> been
> >>> updated to include the client certificate path with the root permission
> >> set
> >>> to r in the apparmor config.
> >>> I can do an openssl s_client -connect to the rsyslog server with the
> >>> CAfile, client certificate and key for the rsyslog client. When I
> attempt
> >>> to start the rsyslog service I am getting
> >>> "omrelp[server-FQDN:server port} error 'relpTcpInitTLS: Error CA
> >>> certificate could not be accessed. Is the file at the right path ? And
> do
> >>> we have the permissions?....."
> >>>
> >>> I have tried putting apparmor into complain mode and stopping the
> >> apparmor
> >>> service altogether. Neither had any effect.
> >>> Is it something to do with the hostname and subjectAltName. The machine
> >>> does have a FQDN rather than a short hostname but it looks like the
> >>> hostname used by rsyslog is the short Ubuntu hostname. Im looking for
> >>> suggestions.
> >>> thanks
> >>> Garry
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.