On 23.03.2021 08:43, odrzen wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 12, 2021 10:07 AM, Mariusz Kruk via rsyslog
<[email protected]> wrote:
Mar 11 17:26:01 testVM rsyslogd[6693]: error reading certificate file
'/root/rsyslog-server/ca.pem' - a common cause is that the file does not exist
[v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2078 ]
As you can see, the rsyslog daemon cannot - for some reason - read the file.
[ --%< snipped %<--- ]
Secondly - CentOS7 by default ships with SELinux enabled. So even though
rsyslogd by default runs as root in CentOS7, it won't be able to access
the files because selinux context mismatch.
This location is bad, anyway. You shouldn't put configuration elements
in root's home directory. It's what /etc is for.
Yes, the problem arose because of SELinux - I forgot that it was enable.
And of course the location of the certificates made the situation worse. When I
created them under the /etc, they had the right SELinux rights.
Would it be useful to note this here: http://www.rsyslog.com/e/2078 ?
I suppose the idea is that if you're administering a system you know
what you're doing ;-)
So the information that you don't have permission to read the file
should be enough. SELinux issues are very specific to a particular OS
and if you use it you should understand it. (and yes, I sometimes get
hit by SELinux permission issues myself if I forget to adjust my policies).
I want to create a pair of certificates for all my machines (not separately for
each machine).
These machines may have completely different domain names but I want all of
them to send their logs with the same certificate (for convenience) to a
central rsyslog machine.
Bad idea. If you're going for encryption, do it properly.
The right way is to create a certificate per client - right ? I understand that
- it makes sense.
In addition to security/safety/privacy, can I get additional benefits from
rsyslog (central) side with different certificates per client ?
For example, can I check the certificate with rsyslog and do something ?
Yes, the proper way, since the certificate ties a cryptographic material
to a particular subject (in this case - a server) is to use separate
certificates per each client.
Unfortunately you can't use the information from the certificate during
event processing (at least I don't know of any way to - for example -
extract subject data from the certificate and use it in a ruleset). But
you can limit access to inputs based on client name and allow only
certain peers to connect.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
