On 2021-01-21, Seth Hanford <[email protected]> wrote: > I'm trying unsuccessfully to create a central syslogd logging server between > two OpenBSD 6.8 hosts, but I can't see what I'm missing. > > My syslog server (logs.lan.ckure.com) has a certificate from my internal CA, > and that certificate's Root & Intermediate certs are pushed out internally to > the /etc/ssl/cert.pem file on each OpenBSD host on my network. I have created > a symlink to that cert to reference the IP / port per the documentation:
/etc/ssl/cert.pem should only have roots, not intermediates. /etc/ssl/192.168.32.20:514.crt should have the server certificate followed by the intermediate. With that config it's working for me (6.8 + syspatches on the server, -current from a month ago on the client). > logs$ ls -all |grep logs.lan.ckure.com > lrwxr-xr-x 1 root wheel 31 Jan 17 19:25 192.168.32.20:514.crt -> > /etc/ssl/logs.lan.ckure.com.crt > -rw-rw---- 1 root wheel 5605 Jan 16 12:42 logs.lan.ckure.com.crt > > I am running syslogd on the log server with the following flags: > logs$ doas rcctl get syslogd flags > -ZS 192.168.32.20:514 BTW there are some tweaks you might like to make. Neither of these should affect whether it works, but might be useful. The standard port for syslog-over-TLS is 6514. syslogd uses this by default if you leave out the port number (both in -S and with tls4://) and in that case would look in 192.168.32.20.crt for the cert. If you don't need this root for other purposes it maybe better to point syslogd at a separate CA file using -C, then sysmerge will handle the main cert.pem file itself without you needing to merge it. > When I connect from ns1.lan.ckure.com via openssl, the cert verifies and > anything I write to that connection I see becoming log entries written to > /var/log/hosts/ns1.lan.ckure.com like so: openssl s_client is a poor test tool, about the only thing it does usefully is display the certificate chain in an easy to read way, otherwise it doesn't verify by default and even when you set the right options you have to read the output carefully. The version in libressl doesn't afaik have a way to verify that the hostname is correct automatically (openssl 1.1 does, but it's disabled by default). Try "nc -vvc ns1.lan.ckure.com 514" instead.
