I made some tests, and I was able to connect the client (8.4.2) and the server (8.39.0) with the configuration provided here https://www.rsyslog.com/using-tls-with-relp/ (of course with few modifications for hostnames) and the certificates generated with the doc I've sent.
You may try to give the server a CN=*.example.net to allow round robin FQDN. Otherwise, it's most probably a config issue in one of the files. Regards, Flo On Thu, Dec 6, 2018 at 3:18 PM [email protected] < [email protected]> wrote: > Hi Flo, > > This won't work over here, yet > > Got a RELP peer authentication failed. Also we have multiple FQDNs for > each host that resolve round robin, so the FQDN changes each time, which > won't help. Don't ask me why... > > rsyslogd: imrelp[2514]: error 'TLS record write failed [gnutls error -10: > The specified session has been invalidated for some reason.]', object > 'lstn 2514: conn to clt 10.1.1.1/s24.oob.be.zzz.bbb.local' - input may > not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ] > > Thanks anyway. I'll try modifying it. > > Best wishes, > Sophie > > Team mailbox : [email protected] > or direct [email protected] > > > > From: Flo Rance [mailto:[email protected]] > Sent: Thursday, December 06, 2018 11:40 AM > To: LOEWENTHAL Sophie > Cc: rsyslog-users > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > Hi, > > I've never used relp, with or without tls, but this is what I've used to > create certificates to secure our DB connections. > > Let me know if this works for you with rsyslog. > > Regards, > Flo > > On Wed, Dec 5, 2018 at 4:32 PM [email protected] < > [email protected]> wrote: > Hi Flo, > I tried a few times from scratch and could not get it to work. The > certtool output is different along with the defaults. > > > From: Flo Rance [mailto:[email protected]] > Sent: Wednesday, December 05, 2018 4:06 PM > To: rsyslog-users > Cc: LOEWENTHAL Sophie > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > Hi, > > What's wrong with this guide https://www.rsyslog.com/using-tls-with-relp/ > ? > > The commands used in it still apply nowadays. > > Regards, > Flo > > On Wed, Dec 5, 2018 at 12:52 PM sophie.loewenthal--- via rsyslog < > [email protected]> wrote: > Hi, > > One and off for a few months I've been trying toget TLS working with RELP. > I've set up so many certificates for client and servers, and never managed > to them to talk. Frankly, with all the hundreds of options in > openssl/certtool and that the default values and order of questions that > change depending on the version and O/S used, it's bound to god wrong. For > example: this guide from 2013 doesn't work > https://www.rsyslog.com/using-tls-with-relp > > I know that lots of people setting TLS up in rsyslog will be creating > certificates daily, and they know OpenSSL pretty well , but I do not: I > create a certificate once every six months, if this. > > Are there any recent guides to setting this up? Particularly for the part > for creating CA/server/client certificates. > > The actual omrelp/imrelp part is quite straight forward. > > Best wishes, > Sophie > > > > > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its > purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet > cannot guarantee the integrity of this message which may not be reliable, > BNP PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > de > ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute > publication, totale ou partielle, est interdite. L'Internet ne permettant > pas d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP > Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message > dans l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
