OK thanks! Is this work perhaps related to this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2124934 It seems the Red Hat team has ported back the NetstreamDriverCaExtraFiles directive.
Or would NetstreamDriverCaExtraFiles not be the solution for my issue? Kind regards, Roman Möller (He/His) -----Ursprüngliche Nachricht----- Von: rsyslog <rsyslog-boun...@lists.adiscon.com> Im Auftrag von Rainer Gerhards via rsyslog Gesendet: Montag, 31. Juli 2023 18:21 An: rsyslog-users <rsyslog@lists.adiscon.com> Cc: Rainer Gerhards <rgerha...@hq.adiscon.com> Betreff: Re: [rsyslog] Support for multiple certificate chains (TLS) Caution: External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe. I think this version is too old.thre was related work not long ago. Rainer Sent from phone, thus brief. Roman Möller via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 31. Juli 2023, 18:18: > Hello subscribers, > we are using rsyslog with TLS to collect logs transport encrypted from > different logsources. > The used certificates are generated by our company CA for the rsyslog > server but also for the logsources. > > I have used these setting until now (filename gives hint about content): > $DefaultNetstreamDriver gtls > $DefaultNetstreamDriverCAFile > /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_ > intermediateCA-1.crt > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key > > And the reception of logs worked pretty well so far. > > Now we have a new intermediate CA and the certificate chains look like > this: > +------------+ > | Root-CA | > +------------+ > | > +--------------------+--------------------------+ > | > | > v > v > +--------------------------+ > +--------------------------+ > | Intermediate CA-1 | | Intermediate CA-2 | > +--------------------------+ > +--------------------------+ > | > | > v > v > +-----------------------------------+ > +---------------------------------+ > | Generated the certificate | | Generated certificates | > | for the rsyslog Server | | for yet other logsources | > | but also for other | > +---------------------------------+ > | logsources | > +-----------------------------------+ > > Our rsyslog Server is not able to accept syslog-TLS encrypted traffic > from logsources which have a certificate from Intermediate CA-2. > A test with openssl s_client -connect localhost:6514 shows that the > system only accepts certificates which originate from Intermediate > CA-1 > > We are using rsyslogd 8.2102.0-10.el8 (aka 2021.02) at the moment. > > Is it somehow possible to configure the acceptance of certificates > from both Intermediate CAs or is this simply not possible with one > instance of rsyslog? > > Kind regards and thanks in advance, > Roman Möller (He/His) > > > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
