Hi Stuart,
On 09/10/2023 23:01, Stuart Henderson wrote:
any chance you previously had added certs to /etc/ssl/cert.pem but lost
that when upgrading?
I always readd the ca.crt used to sign the client certs to
/etc/ssl/cert.pem and distribute the file at upgrade via siteXX.tgz
It's hard to tell the exact cause of your problem since you do not provice
crucial
data such as any error messages that would appear in a log somewhere.
if there's nothing useful from syslogd, try connecting with nc -vvc
on the relevant machines too. (there was no relevant change to syslogd
since 7.3. there were changes to the various TLS libs but they should
affect nc as well and errors maybe easier to see there).
There is stuff from syslog (my other post took ages to reach the mailing
list:
on the server:
Oct 9 23:09:30 loghost syslogd[96442]: tls logger "192.168.0.14:35359"
connection error: handshake failed: error:14039418:SSL
routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca
on the client:
Oct 9 23:09:02 builder syslogd[71166]: loghost
"@tls4://loghost.domain.local" connection error: certificate
verification failed: self signed certificate in certificate chain
# nc -vvc loghost.domain.local 6514
Connection to loghost.domain.local (192.168.0.30) 6514 port
[tcp/syslog-tls] succeeded!
nc: tls handshake failed (certificate verification failed: self signed
certificate in certificate chain)
We also do not know much about your configuration or what requirements the setup
is supposed to fill. But sure, in quite a number of situations auto-reneweing
Let's Encrypt certificates would be a serviceable solution.
using self-signed certs and requiring a specific cert (via syslogd's
-C option) is certainly a valid configuration too.
I'm going to give -C a go, it might be easier than adding the cert to
/etc/ssl/cert.pem
Thanks for the suggestions and confirming syslogd hadn't changed, maybe
it's the TLS stuff. I need to check the hashes for /etc/ssl/ca.crt as well.
Cheers,
Noth
