Hey Seems that openssl just solved the problem.
Thank you for the tip 😊 Aksel D. BDO CERT ________________________________ Fra: Rainer Gerhards <[email protected]> Sendt: fredag 8. mars 2019 10.16.48 Til: rsyslog-users Kopi: Aksel Cevdet Devrimci Emne: Re: [rsyslog] Peer name error with imrelp maybe updated gnutls lib... let's try openssl, it generally has better error message. change module(load="imrelp") to module(load="imrelp" tls.tlslib="openssl") Let's see if that provides a better error message (or even works!). Rainer El jue., 7 mar. 2019 a las 21:42, Aksel Cevdet Devrimci via rsyslog (<[email protected]>) escribió: > > Hello > > After we upgraded our rsyslog server to ubuntu 16.04(from 14.04) our > clients(still ubuntu 14.04) can no longer send over logs using relp. > Relp with no TLS works fine, but if we turn on TLS we get the following error > message on the server: "rsyslogd: imrelp[20514]: authentication error > 'certificate validation failed', peer is '' [v8.1903.0 try > https://www.rsyslog.com/e/2353 ]" > After taking a packet capture on the server and manually dumping the client > certificate, it looks fine(openssl can read it). We use subject common name > and not subjectAltName. > Both clients and server use the latest rsyslog version from ppa(8.1903.0). > > Our server config: > input( > name="imrelpInput" > type="imrelp" > port="20514" > ruleset="XXXXXX" > tls="on" > tls.cacert="/etc/ssl/certs/ca-chain-cert.pem" > tls.mycert="/etc/ssl/certs/server.cert.pem" > tls.myprivkey="/etc/ssl/private/server.cert.key" > tls.permittedPeer=["*.clients.DOMAIN"] > tls.authMode="name" > tls.compression="off" > keepalive="on" > MaxDatasize="512K" > ) > > Not sure what else to try or look for, our current workaround is to turn off > tls. > Help or advice would be much appreciated. > > Aksel D. > > BDO CERT > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
