El vie., 8 mar. 2019 a las 12:28, Aksel Cevdet Devrimci (< [email protected]>) escribió:
> Hey > Seems that openssl just solved the problem. > yeah .. that's part of why we implemented openssl. GnuTLS is very picky at many things and emits very generic error messages... ;-) Rainer > Thank you for the tip 😊 > > > Aksel D. > > BDO CERT > ------------------------------ > *Fra:* Rainer Gerhards <[email protected]> > *Sendt:* fredag 8. mars 2019 10.16.48 > *Til:* rsyslog-users > *Kopi:* Aksel Cevdet Devrimci > *Emne:* Re: [rsyslog] Peer name error with imrelp > > maybe updated gnutls lib... > > let's try openssl, it generally has better error message. > > change > > module(load="imrelp") > > to > > module(load="imrelp" tls.tlslib="openssl") > > Let's see if that provides a better error message (or even works!). > > Rainer > > El jue., 7 mar. 2019 a las 21:42, Aksel Cevdet Devrimci via rsyslog > (<[email protected]>) escribió: > > > > Hello > > > > After we upgraded our rsyslog server to ubuntu 16.04(from 14.04) our > clients(still ubuntu 14.04) can no longer send over logs using relp. > > Relp with no TLS works fine, but if we turn on TLS we get the following > error message on the server: "rsyslogd: imrelp[20514]: authentication error > 'certificate validation failed', peer is '' [v8.1903.0 try > https://www.rsyslog.com/e/2353 ]" > > After taking a packet capture on the server and manually dumping the > client certificate, it looks fine(openssl can read it). We use subject > common name and not subjectAltName. > > Both clients and server use the latest rsyslog version from > ppa(8.1903.0). > > > > Our server config: > > input( > > name="imrelpInput" > > type="imrelp" > > port="20514" > > ruleset="XXXXXX" > > tls="on" > > tls.cacert="/etc/ssl/certs/ca-chain-cert.pem" > > tls.mycert="/etc/ssl/certs/server.cert.pem" > > tls.myprivkey="/etc/ssl/private/server.cert.key" > > tls.permittedPeer=["*.clients.DOMAIN"] > > tls.authMode="name" > > tls.compression="off" > > keepalive="on" > > MaxDatasize="512K" > > ) > > > > Not sure what else to try or look for, our current workaround is to turn > off tls. > > Help or advice would be much appreciated. > > > > Aksel D. > > > > BDO CERT > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
