I try on my (central) rsyslog server to set up a certificate authority (CA) and the certificates for the clients. I follow the steps from the following very interesting and useful documentation pages: * https://www.rsyslog.com/doc/master/tutorials/tls_cert_ca.html * https://www.rsyslog.com/doc/master/tutorials/tls_cert_machine.html * https://www.rsyslog.com/doc/master/tutorials/tls_cert_server.html
but unfortunately I do not have the expected result. For some reason the (self-signed) CA certificate is not accepted from rsyslog. ## Server ```The logs as I generated it certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem ``` ```logs Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Common name: UID: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 6938417459922577638): Activation/Expiration time. The certificate will expire in (days): 1000 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 604a35eb220da8e6 Validity: Not Before: Thu Mar 11 15:23:24 UTC 2021 Not After: Wed Dec 06 15:23:28 UTC 2023 Subject: Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:da:ae:33:95:48:8b:9d:27:4d:d6:80:a6:2d:c0:40 3c:7d:6a:c6:64:c2:e2:23:f9:42:e1:2d:32:56:d3:ba [ ...... ] 2f:68:d2:d9:73:a1:31:09:d6:05:18:ed:20:06:45:8b 9b Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Alternative Name (not critical): RFC822Name: Key Usage (critical): Certificate signing. Subject Key Identifier (not critical): 7b34103e9dc02d497d78c303fc547f78d6f6318d Other Information: Public Key ID: 7b34103e9dc02d497d78c303fc547f78d6f6318d Public key's random art: +--[ RSA 2048]----+ | o+=.+ .. | [ ... ] +-----------------+ Is the above information ok? (y/N): y Signing certificate... ``` ``` chmod 400 ca-key.pem ``` ## Client ``` certtool --generate-privkey --outfile key.pem ``` ``` certtool --generate-request --load-privkey key.pem --outfile request.pem Generating a PKCS #10 certificate request... Common name: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): n Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Is this a TLS web client certificate? (y/N): y Is this a TLS web server certificate? (y/N): y ``` ``` certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem Generating a signed certificate... Enter the certificate's serial number in decimal (default: 6938404153755168037): Activation/Expiration time. The certificate will expire in (days): 1000 Extensions. Do you want to honour the extensions from the request? (y/N): Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): y Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used to sign other certificates? (y/N): Will the certificate be used to sign CRLs? (y/N): [...] Is the above information ok? (y/N): y Signing certificate... ``` After that I config my (centra) rsyslog to read the certificates: ```/etc/rsyslog.conf $DefaultNetstreamDriverCAFile /root/rsyslog-server/ca.pem $DefaultNetstreamDriverCertFile /root/rsyslog-server/cert.pem $DefaultNetstreamDriverKeyFile /root/rsyslog-server/key.pem ``` ``` rsyslogd -N1 rsyslogd: version 8.24.0-57.el7_9, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye. ``` ```# systemctl status rsyslog -l ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-03-11 17:26:01 EET; 2s ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Main PID: 6693 (rsyslogd) CGroup: /system.slice/rsyslog.service └─6693 /usr/sbin/rsyslogd -n Mar 11 17:26:01 testVM systemd[1]: Starting System Logging Service... Mar 11 17:26:01 testVM rsyslogd[6693]: [origin software="rsyslogd" swVersion="8.24.0-57.el7_9" x-pid="6693" x-info="http://www.rsyslog.com";] start Mar 11 17:26:01 testVM rsyslogd[6693]: error reading certificate file '/root/rsyslog-server/ca.pem' - a common cause is that the file does not exist [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2078 ] Mar 11 17:26:01 testVM rsyslogd[6693]: could not load module '/usr/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078 [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ] Mar 11 17:26:01 testVM systemd[1]: Started System Logging Service. Mar 11 17:26:01 testVM rsyslogd[6693]: tcpsrv could not create listener (inputname: 'imtcp') [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ] Mar 11 17:26:01 testVM rsyslogd[6693]: activation of module imtcp failed [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2068 ] ``` ```ls -alh /root/rsyslog-server/ca.pem -rw-r--r--. 1 root root 1.5K Mar 11 17:24 /root/rsyslog-server/ca.pem ``` I do not understand why this is happening. I can not find the problem. Where is the problem ? I want to create a pair of certificates for all my machines (not separately for each machine). These machines may have completely different domain names but I want all of them to send their logs with the same certificate (for convenience) to a central rsyslog machine. * Central rsyslog VM OS : CentOS 7 Thanks in advance. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
