This could be it. I don't know about what is present in RH rsyslog packages, but if you use our's, you can check that it works.
@andre: can you comment on this? Rainer El lun, 31 jul 2023 a las 18:30, Roman Möller (<roman.moel...@eviden.com>) escribió: > > OK thanks! > Is this work perhaps related to this bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=2124934 > It seems the Red Hat team has ported back the NetstreamDriverCaExtraFiles > directive. > > Or would NetstreamDriverCaExtraFiles not be the solution for my issue? > > Kind regards, > Roman Möller (He/His) > > > > > > > -----Ursprüngliche Nachricht----- > Von: rsyslog <rsyslog-boun...@lists.adiscon.com> Im Auftrag von Rainer > Gerhards via rsyslog > Gesendet: Montag, 31. Juli 2023 18:21 > An: rsyslog-users <rsyslog@lists.adiscon.com> > Cc: Rainer Gerhards <rgerha...@hq.adiscon.com> > Betreff: Re: [rsyslog] Support for multiple certificate chains (TLS) > > Caution: External email. Do not open attachments or click links, unless this > email comes from a known sender and you know the content is safe. > > I think this version is too old.thre was related work not long ago. > > Rainer > > Sent from phone, thus brief. > > Roman Möller via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 31. > Juli 2023, 18:18: > > > Hello subscribers, > > we are using rsyslog with TLS to collect logs transport encrypted from > > different logsources. > > The used certificates are generated by our company CA for the rsyslog > > server but also for the logsources. > > > > I have used these setting until now (filename gives hint about content): > > $DefaultNetstreamDriver gtls > > $DefaultNetstreamDriverCAFile > > /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem > > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_ > > intermediateCA-1.crt > > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key > > > > And the reception of logs worked pretty well so far. > > > > Now we have a new intermediate CA and the certificate chains look like > > this: > > +------------+ > > | Root-CA | > > +------------+ > > | > > +--------------------+--------------------------+ > > | > > | > > v > > v > > +--------------------------+ > > +--------------------------+ > > | Intermediate CA-1 | | Intermediate CA-2 | > > +--------------------------+ > > +--------------------------+ > > | > > | > > v > > v > > +-----------------------------------+ > > +---------------------------------+ > > | Generated the certificate | | Generated certificates | > > | for the rsyslog Server | | for yet other logsources | > > | but also for other | > > +---------------------------------+ > > | logsources | > > +-----------------------------------+ > > > > Our rsyslog Server is not able to accept syslog-TLS encrypted traffic > > from logsources which have a certificate from Intermediate CA-2. > > A test with openssl s_client -connect localhost:6514 shows that the > > system only accepts certificates which originate from Intermediate > > CA-1 > > > > We are using rsyslogd 8.2102.0-10.el8 (aka 2021.02) at the moment. > > > > Is it somehow possible to configure the acceptance of certificates > > from both Intermediate CAs or is this simply not possible with one > > instance of rsyslog? > > > > Kind regards and thanks in advance, > > Roman Möller (He/His) > > > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
