Thanks. I configured ca and certs for the clients and servers. I set the dnsName to a wildcard. e.g *.local. in the certificates.
Both clients and servers started, and the server listens on the ports with TLS. However TLS connections cannot be established. This is something to do with a 'peer' which was specified in tls.permittedpeer= The error on the server is : 2018-11-13T15:50:12.783315+01:00 6 rsyslogd: imrelp[10514]: authentication error 'no permited name found', peer is '' [v8.24.0 try http://www.rsyslog.com/e/2353 ] I used this config: Server: input(type="imrelp" port="10514" tls="on" tls.caCert="/etc/pki/tls/private/ca-cert.pem" tls.myCert="/etc/pki/tls/private/collector-cert.pem" tls.myPrivKey="/etc/pki/tls/private/collector-key.pem" tls.authMode="name" tls.permittedpeer=["*.local"] ) Client: action(type="omrelp" target="5" port="10514" tls="on" tls.caCert="/etc/pki/tls/private/ca-cert.pem" tls.myCert="/etc/pki/tls/private/sender-cert.pem" tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" tls.authmode="name" tls.permittedpeer=["*.local"] ) action(type="omrelp" target="6" port="10514" tls="on" tls.caCert="/etc/pki/tls/private/ca-cert.pem" tls.myCert="/etc/pki/tls/private/sender-cert.pem" tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" tls.authmode="name" tls.permittedpeer=["*.local"] ) What should I added for the tls.permittedpeer? I don't think this is correct. Or my certificates are wrong. > -----Original Message----- > From: rsyslog [mailto:[email protected]] On Behalf Of John > Chivian > Sent: Tuesday, November 13, 2018 1:56 PM > To: sophie.loewenthal--- via rsyslog > Subject: Re: [rsyslog] TLS and rsyslog > > If both client and server are willing to accept and use a valid > certificate, and do no other verification checks, then yes you can use > the same cert on all client systems. > > Regards, > > On 11/13/18 3:22 AM, sophie.loewenthal--- via rsyslog wrote: > > Light bulb moment: Can I use the same client cert on all of the clients? > > > >> -----Original Message----- > >> From: rsyslog [mailto:[email protected]] On Behalf Of > >> sophie.loewenthal--- via rsyslog > >> Sent: Tuesday, November 13, 2018 10:06 AM > >> To: rsyslog-users > >> Cc: LOEWENTHAL Sophie > >> Subject: [rsyslog] TLS and rsyslog > >> > >> Hi, > >> > >> I've read lots of dox on setting up TLS for sending logs and every time I > >> see > one > >> has to set up a CA and then have a certificate for every client. I'd have > >> to > create > >> 1001 certificates and then a new client cert for every new server. This is > >> impractical and the time is not available to perform the task. For > >> comparison, > >> we don't require every user's browser to have a client cert to connect > >> with a > >> webserver, like Paypal, and I use self-signed certs for some internal web > servers. > >> > >> In my case the objective to to encrypt the syslog data sent over the > >> network, > but > >> not to identify the sending machine. > >> Is there a way to have rsyslog use a self-signed certificate and trust all > >> the > >> clients that connect over TLS? > >> > >> Some examples that suggest using a self-signed CA + clients: > >> https://access.redhat.com/solutions/519533 > >> https://waqarafridi.wordpress.com/2015/11/16/configure-ssltls-between- > two- > >> rsyslog-systems/ > >> And the list goes on. > >> > >> Best wishes, > >> Sophie > >> > >> Not working on Mondays/ Travailler sauf le lundi > >> Team mailbox : [email protected] > >> or direct [email protected] > >> > >> > >> > >> > >> This message and any attachments (the "message") is > >> intended solely for the intended addressees and is confidential. > >> If you receive this message in error,or are not the intended recipient(s), > >> please delete it and any copies from your systems and immediately notify > >> the sender. Any unauthorized view, use that does not comply with its > >> purpose, > >> dissemination or disclosure, either whole or partial, is prohibited. Since > >> the > >> internet > >> cannot guarantee the integrity of this message which may not be reliable, > BNP > >> PARIBAS > >> (and its subsidiaries) shall not be liable for the message if modified, > >> changed > or > >> falsified. > >> Do not print this message unless it is necessary, consider the environment. > >> > >> ---------------------------------------------------------------------------------------------- > ---- > >> -------------------------------- > >> > >> Ce message et toutes les pieces jointes (ci-apres le "message") > >> sont etablis a l'intention exclusive de ses destinataires et sont > >> confidentiels. > >> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > >> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > >> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > >> de > >> ce message qui n'est pas conforme a sa destination, toute diffusion ou > >> toute > >> publication, totale ou partielle, est interdite. L'Internet ne permettant > >> pas > >> d'assurer > >> l'integrite de ce message electronique susceptible d'alteration, BNP > >> Paribas > >> (et ses filiales) decline(nt) toute responsabilite au titre de ce message > >> dans > >> l'hypothese > >> ou il aurait ete modifie, deforme ou falsifie. > >> N'imprimez ce message que si necessaire, pensez a l'environnement. > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >> LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
