‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, March 12, 2021 10:07 AM, Mariusz Kruk via rsyslog <[email protected]> wrote:
> > Mar 11 17:26:01 testVM rsyslogd[6693]: error reading certificate file > > '/root/rsyslog-server/ca.pem' - a common cause is that the file does not > > exist [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2078 ] > > As you can see, the rsyslog daemon cannot - for some reason - read the file. > > [ --%< snipped %<--- ] > > Secondly - CentOS7 by default ships with SELinux enabled. So even though > rsyslogd by default runs as root in CentOS7, it won't be able to access > the files because selinux context mismatch. > > This location is bad, anyway. You shouldn't put configuration elements > in root's home directory. It's what /etc is for. Yes, the problem arose because of SELinux - I forgot that it was enable. And of course the location of the certificates made the situation worse. When I created them under the /etc, they had the right SELinux rights. Would it be useful to note this here: http://www.rsyslog.com/e/2078 ? > > I want to create a pair of certificates for all my machines (not separately > > for each machine). > > These machines may have completely different domain names but I want all of > > them to send their logs with the same certificate (for convenience) to a > > central rsyslog machine. > > Bad idea. If you're going for encryption, do it properly. The right way is to create a certificate per client - right ? I understand that - it makes sense. In addition to security/safety/privacy, can I get additional benefits from rsyslog (central) side with different certificates per client ? For example, can I check the certificate with rsyslog and do something ? _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
