Re: [solved] syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
Ok I solved it. Two issues: 1. the ca.crt file differed on various VMs, possibly due to bitrot 2. the -C option for syslogd to use the ca.crt as distributed to all VMs now (wasn't the case as I would append it's content to /etc/ssl/cert.pem and that was sufficient up till now) allows for normal logging over TLS once again. Thanks Stuart for the suggestion on that. Not sure why it had to break on moving 7.4 but at least it's working again. Cheers, Noth
Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
Hi Stuart, On 09/10/2023 23:01, Stuart Henderson wrote: any chance you previously had added certs to /etc/ssl/cert.pem but lost that when upgrading? I always readd the ca.crt used to sign the client certs to /etc/ssl/cert.pem and distribute the file at upgrade via siteXX.tgz It's hard to tell the exact cause of your problem since you do not provice crucial data such as any error messages that would appear in a log somewhere. if there's nothing useful from syslogd, try connecting with nc -vvc on the relevant machines too. (there was no relevant change to syslogd since 7.3. there were changes to the various TLS libs but they should affect nc as well and errors maybe easier to see there). There is stuff from syslog (my other post took ages to reach the mailing list: on the server: Oct 9 23:09:30 loghost syslogd[96442]: tls logger "192.168.0.14:35359" connection error: handshake failed: error:14039418:SSL routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca on the client: Oct 9 23:09:02 builder syslogd[71166]: loghost "@tls4://loghost.domain.local" connection error: certificate verification failed: self signed certificate in certificate chain # nc -vvc loghost.domain.local 6514 Connection to loghost.domain.local (192.168.0.30) 6514 port [tcp/syslog-tls] succeeded! nc: tls handshake failed (certificate verification failed: self signed certificate in certificate chain) We also do not know much about your configuration or what requirements the setup is supposed to fill. But sure, in quite a number of situations auto-reneweing Let's Encrypt certificates would be a serviceable solution. using self-signed certs and requiring a specific cert (via syslogd's -C option) is certainly a valid configuration too. I'm going to give -C a go, it might be easier than adding the cert to /etc/ssl/cert.pem Thanks for the suggestions and confirming syslogd hadn't changed, maybe it's the TLS stuff. I need to check the hashes for /etc/ssl/ca.crt as well. Cheers, Noth
Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
On 2023-10-09, Peter N. M. Hansteen wrote: > On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote: >> >> I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3 >> routers are still able to connect via TLS but the 7.4 VMs can't as they >> don't like the self signed certs. It'd be nice if this was in the >> upgrade74.html with some explanation of why this changed. > > Actually, if you built from source from a recent -current (HEAD) checkout, > what you got was just that: something that is close to what will be > 7.4-release, > (a matter of weeks if not days), but not actually 7.4-release or -stable. cvs head is beyond 7.4. the tree has been tagged with OPENBSD_7_4_BASE but as usual it may still be re-tagged before release day. >> Is my path to getting all this working again the way it was to use Let's >> Encrypt certificates? any chance you previously had added certs to /etc/ssl/cert.pem but lost that when upgrading? > It's hard to tell the exact cause of your problem since you do not provice > crucial > data such as any error messages that would appear in a log somewhere. if there's nothing useful from syslogd, try connecting with nc -vvc on the relevant machines too. (there was no relevant change to syslogd since 7.3. there were changes to the various TLS libs but they should affect nc as well and errors maybe easier to see there). > We also do not know much about your configuration or what requirements the > setup > is supposed to fill. But sure, in quite a number of situations auto-reneweing > Let's Encrypt certificates would be a serviceable solution. using self-signed certs and requiring a specific cert (via syslogd's -C option) is certainly a valid configuration too. -- Please keep replies on the mailing list.
Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
Hi On 09/10/2023 19:59, Peter N. M. Hansteen wrote: You are aware that OpenBSD 7.4 has not been released yet, right? Of course. On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote: This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup where various OpenBSD instances log via TLS to a central logger, using self signed certificates I generated locally (10 year validity). Both the server and the clients verify each other using the -c & -s options for syslogd on the clients and -K for the server. I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3 routers are still able to connect via TLS but the 7.4 VMs can't as they don't like the self signed certs. It'd be nice if this was in the upgrade74.html with some explanation of why this changed. Actually, if you built from source from a recent -current (HEAD) checkout, what you got was just that: something that is close to what will be 7.4-release, (a matter of weeks if not days), but not actually 7.4-release or -stable. I downloaded 7.4 from CVS last Wednesday and built it. I don't use -current. I am aware it's not officially released yet but it's close to being. Is my path to getting all this working again the way it was to use Let's Encrypt certificates? It's hard to tell the exact cause of your problem since you do not provice crucial data such as any error messages that would appear in a log somewhere. We also do not know much about your configuration or what requirements the setup is supposed to fill. But sure, in quite a number of situations auto-reneweing Let's Encrypt certificates would be a serviceable solution. - Peter client side /etc/rc.conf.local snippet: syslogd_flags=-c /etc/ssl/buildhost.domain.local.crt -k /etc/ssl/private/buildhost.domain.local.key client side /etc/syslog.conf snippet: *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @tls://loghost.domain.local auth,daemon,syslog,user.info;authpriv,kern.debug @tls://loghost.domain.local Error message for client is: Oct 9 21:30:50 buildhost syslogd[42102]: loghost "@tls://loghost.domain.local" connection error: certificate verification failed: self signed certificate in certificate chain server side rc.conf.local snippet: syslogd_flags=-u -T 192.168.50.30:514 -S loghost.domain.local -S 192.168.0.30 -K /etc/ssl/ca.crt Error server side is: Oct 9 21:31:20 loghost syslogd[39364]: tls logger "192.168.0.14:43535" connection error: handshake failed: error:14039418:SSL routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca I hope this illustrates it a bit better. Cheers, Noth
Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
You are aware that OpenBSD 7.4 has not been released yet, right? On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote: > > This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup > where various OpenBSD instances log via TLS to a central logger, using self > signed certificates I generated locally (10 year validity). Both the server > and the clients verify each other using the -c & -s options for syslogd on > the clients and -K for the server. > > I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3 > routers are still able to connect via TLS but the 7.4 VMs can't as they > don't like the self signed certs. It'd be nice if this was in the > upgrade74.html with some explanation of why this changed. Actually, if you built from source from a recent -current (HEAD) checkout, what you got was just that: something that is close to what will be 7.4-release, (a matter of weeks if not days), but not actually 7.4-release or -stable. > Is my path to getting all this working again the way it was to use Let's > Encrypt certificates? It's hard to tell the exact cause of your problem since you do not provice crucial data such as any error messages that would appear in a log somewhere. We also do not know much about your configuration or what requirements the setup is supposed to fill. But sure, in quite a number of situations auto-reneweing Let's Encrypt certificates would be a serviceable solution. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
Hello, This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup where various OpenBSD instances log via TLS to a central logger, using self signed certificates I generated locally (10 year validity). Both the server and the clients verify each other using the -c & -s options for syslogd on the clients and -K for the server. I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3 routers are still able to connect via TLS but the 7.4 VMs can't as they don't like the self signed certs. It'd be nice if this was in the upgrade74.html with some explanation of why this changed. Is my path to getting all this working again the way it was to use Let's Encrypt certificates? Cheers, Noth