I'm having a distributed setup using a central "collector" and many "small" rsyslog instances receiving events on remote locations.
Those small sites send events "upstream" using TLS-protected RELP with mutual cert-based authentication. Problem is, I used to have trustchain working like that: "CA1 -> CA2 -> CA3 -> client cert". And it worked for many clients (around two dozens, I believe). I had "CA1 -> CA2 -> CA3" provided as trust chain on both side of the connection (both in imrelp and omrelp configuration as tls.CACert parameter) and just gave plain client cert as tls.MyCert. Worked great until now because I sudenly created CSR to the CA and got in response a cert with a different chain - "CA2 -> CA4 -> client cert". Obviously when I configure my client with this cert, it's not valid becaues the CA4 cert cannot be authenticated by the other end. Do I have any other option than to simply reconfigure all ends to use CA1 as CACert and append CAs to client certs to make them chained certs? Of course since I have already many clients deployed I'd really like to avoid that but if there's no other choice. I'm using: # rpm -q rsyslog rsyslog-8.2001.0-3.el7.x86_64 TIA for any words of advice. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.