Stuart, Thank you so much for this. I was able to get things working with your configuration guidance.
Seth On 2021-02-13 05:18, Stuart Henderson wrote: > On 2021-01-21, Seth Hanford <shanf...@ckure.com> wrote: >> I'm trying unsuccessfully to create a central syslogd logging server >> between two OpenBSD 6.8 hosts, but I can't see what I'm missing. >> My syslog server (logs.lan.ckure.com) has a certificate from my internal CA, >> and that certificate's Root & Intermediate certs are pushed out internally >> to the /etc/ssl/cert.pem file on each OpenBSD host on my network. I have >> created a symlink to that cert to reference the IP / port per the >> documentation: > /etc/ssl/cert.pem should only have roots, not intermediates. > /etc/ssl/192.168.32.20:514.crt should have the server certificate > followed by the intermediate. > With that config it's working for me (6.8 + syspatches on the server, > -current from a month ago on the client). >> logs$ ls -all |grep logs.lan.ckure.com >> lrwxr-xr-x 1 root wheel 31 Jan 17 19:25 192.168.32.20:514.crt -> >> /etc/ssl/logs.lan.ckure.com.crt >> -rw-rw---- 1 root wheel 5605 Jan 16 12:42 logs.lan.ckure.com.crt >> I am running syslogd on the log server with the following flags: >> logs$ doas rcctl get syslogd flags >> -ZS 192.168.32.20:514 > BTW there are some tweaks you might like to make. Neither of these > should affect whether it works, but might be useful. > The standard port for syslog-over-TLS is 6514. syslogd uses this by > default if you leave out the port number (both in -S and with tls4://) > and in that case would look in 192.168.32.20.crt for the cert. > If you don't need this root for other purposes it maybe better > to point syslogd at a separate CA file using -C, then sysmerge will > handle the main cert.pem file itself without you needing to merge it. >> When I connect from ns1.lan.ckure.com via openssl, the cert verifies and >> anything I write to that connection I see becoming log entries written to >> /var/log/hosts/ns1.lan.ckure.com like so: > openssl s_client is a poor test tool, about the only thing it > does usefully is display the certificate chain in an easy to read > way, otherwise it doesn't verify by default and even when you set > the right options you have to read the output carefully. > The version in libressl doesn't afaik have a way to verify > that the hostname is correct automatically (openssl 1.1 does, > but it's disabled by default). > Try "nc -vvc ns1.lan.ckure.com 514" instead.
