DefaultNetstreamDriverCAFile should contain just a single CA as far as I
remember.
With sufficiently new version of rsyslog you should be able to set
streamDriver.CAFile parameter (I assume you're talking about imtcp
module; for imrelp there is an equivalent parameter).
On 23.05.2023 16:39, rsyslog--- via rsyslog wrote:
Hi there,
we've issued a TLS certificate from our internal standalone PKI and
configured it and the corresponding certificate chain to use
syslog-TLS with rsyslog.
Everything works fine so far. We receiving TLS encrypted syslog from
devices which are capable to send via encrypted syslog.
Now we have a new requirement.
We have a certain client device we want to connect to our rsyslog but
this device has a certificate from a public PKI. We cannot change the
certificate on the client site because the certificate there is needed
for other purposes.
We have to adapt on the receiver site.
I've tried to put all certificates in the same CA file for
"DefaultNetstreamDriverCAFile" but rsyslog seems to pick just one of
them to represent it to the client.
I keep getting the error "not permitted to talk to peer, certificate
invalid: signer not found" in the rsyslog log.
Is it even possible to have multiple certificate chains or is just one
chain supported?
Kind regards
R. Moeller
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
