Wait a second.
Firstly, and most importantly, the whole idea of multiple CA levels is
that if a subject A presents a cert issued by CA B which in turn was
issued a signing cert by RootCA C it should be enough for the other end
to just trust the RootCA C.
So in the OP's situation it should be enough to have the RootCA as a
trusted cert and the sending parties should present proper certificate
chains including the subject cert and the intermediate CA cert.
That's how it works (currently; it didn't for quite some time which had
been a source of huge grief for me) with imrelp/omrelp. I'm not sure
about imtcp with TLS simply because I don't use it.
MK
On 2.08.2023 08:39, Andre Lorbach via rsyslog wrote:
Dear Roman,
technically the GnuTLS and OpenSSL API do support loading multiple CA
Certificates in one file. I have not tested this, but you can combine all 3
root CA certificates into one file, it should work.
For example:
cat intermediateCA_1.crt intermediateCA_2.crt rootCA.crt >
rootCA_and_all_intermediateCA.pem
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile
/etc/pki/rsyslog/rootCA_and_all_intermediateCA.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer.crt
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key
Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: [email protected]
Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.
-----Original Message-----
From: rsyslog <[email protected]> On Behalf Of Roman
Möller via rsyslog
Sent: Montag, 31. Juli 2023 18:18
To: [email protected]
Cc: Roman Möller <[email protected]>
Subject: [rsyslog] Support for multiple certificate chains (TLS)
Hello subscribers,
we are using rsyslog with TLS to collect logs transport encrypted from
different
logsources.
The used certificates are generated by our company CA for the rsyslog
server
but also for the logsources.
I have used these setting until now (filename gives hint about content):
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile
/etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_
intermediateCA-1.crt $DefaultNetstreamDriverKeyFile
/etc/pki/rsyslog/rsyslogServer.key
And the reception of logs worked pretty well so far.
Now we have a new intermediate CA and the certificate chains look like
this:
+------------+
| Root-CA |
+------------+
|
+--------------------+--------------------------+
|
|
v
v
+--------------------------+
+--------------------------+
| Intermediate CA-1 | | Intermediate CA-2 |
+--------------------------+
+--------------------------+
|
|
v
v
+-----------------------------------+
+-----------------------------------+ +---------------------------------
+-----------------------------------+ +
| Generated the certificate | | Generated certificates |
| for the rsyslog Server | | for yet other logsources |
| but also for other |
+---------------------------------+
| logsources |
+-----------------------------------+
Our rsyslog Server is not able to accept syslog-TLS encrypted traffic from
logsources which have a certificate from Intermediate CA-2.
A test with openssl s_client -connect localhost:6514 shows that the system
only accepts certificates which originate from Intermediate CA-1
We are using rsyslogd 8.2102.0-10.el8 (aka 2021.02) at the moment.
Is it somehow possible to configure the acceptance of certificates from
both
Intermediate CAs or is this simply not possible with one instance of
rsyslog?
Kind regards and thanks in advance,
Roman Möller (He/His)
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond
our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
