Hi
On 09/10/2023 19:59, Peter N. M. Hansteen wrote:
You are aware that OpenBSD 7.4 has not been released yet, right?
Of course.
On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote:
This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup
where various OpenBSD instances log via TLS to a central logger, using self
signed certificates I generated locally (10 year validity). Both the server
and the clients verify each other using the -c & -s options for syslogd on
the clients and -K for the server.
I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3
routers are still able to connect via TLS but the 7.4 VMs can't as they
don't like the self signed certs. It'd be nice if this was in the
upgrade74.html with some explanation of why this changed.
Actually, if you built from source from a recent -current (HEAD) checkout,
what you got was just that: something that is close to what will be 7.4-release,
(a matter of weeks if not days), but not actually 7.4-release or -stable.
I downloaded 7.4 from CVS last Wednesday and built it. I don't use
-current. I am aware it's not officially released yet but it's close to
being.
Is my path to getting all this working again the way it was to use Let's
Encrypt certificates?
It's hard to tell the exact cause of your problem since you do not provice
crucial
data such as any error messages that would appear in a log somewhere.
We also do not know much about your configuration or what requirements the setup
is supposed to fill. But sure, in quite a number of situations auto-reneweing
Let's Encrypt certificates would be a serviceable solution.
- Peter
client side /etc/rc.conf.local snippet:
syslogd_flags=-c /etc/ssl/buildhost.domain.local.crt -k
/etc/ssl/private/buildhost.domain.local.key
client side /etc/syslog.conf snippet:
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none
@tls://loghost.domain.local
auth,daemon,syslog,user.info;authpriv,kern.debug @tls://loghost.domain.local
Error message for client is: Oct 9 21:30:50 buildhost syslogd[42102]:
loghost "@tls://loghost.domain.local" connection error: certificate
verification failed: self signed certificate in certificate chain
server side rc.conf.local snippet:
syslogd_flags=-u -T 192.168.50.30:514 -S loghost.domain.local -S
192.168.0.30 -K /etc/ssl/ca.crt
Error server side is: Oct 9 21:31:20 loghost syslogd[39364]: tls logger
"192.168.0.14:43535" connection error: handshake failed:
error:14039418:SSL routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca
I hope this illustrates it a bit better.
Cheers,
Noth
