Ok to be honest I have not worked with intermediate CA generated certificates yet, so I can only stick to the documentation I found. As far as I understand, the server needs to know the root and intermediate CA certificate, if he shall be able to verify the client certificate.
If the client shall present the intermediateCA to the server, It needs to have support for this. I remembered that there was a similar issue last year which was fixed by this PR: https://github.com/rsyslog/rsyslog/pull/4889 A new setting NetstreamDriverCAExtraFiles was added with this PR to address issues like this. However, you will require at least rsyslog v8.2210.0. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: i...@adiscon.com Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > -----Original Message----- > From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Mariusz > Kruk via rsyslog > Sent: Mittwoch, 2. August 2023 08:45 > To: rsyslog@lists.adiscon.com > Cc: Mariusz Kruk <k...@epsilon.eu.org> > Subject: Re: [rsyslog] Support for multiple certificate chains (TLS) > > Wait a second. > > Firstly, and most importantly, the whole idea of multiple CA levels is > that if a > subject A presents a cert issued by CA B which in turn was issued a > signing cert > by RootCA C it should be enough for the other end to just trust the RootCA > C. > > So in the OP's situation it should be enough to have the RootCA as a > trusted > cert and the sending parties should present proper certificate chains > including > the subject cert and the intermediate CA cert. > > That's how it works (currently; it didn't for quite some time which had > been a > source of huge grief for me) with imrelp/omrelp. I'm not sure about imtcp > with TLS simply because I don't use it. > > MK > > On 2.08.2023 08:39, Andre Lorbach via rsyslog wrote: > > Dear Roman, > > > > technically the GnuTLS and OpenSSL API do support loading multiple CA > > Certificates in one file. I have not tested this, but you can combine > > all 3 root CA certificates into one file, it should work. > > > > For example: > > cat intermediateCA_1.crt intermediateCA_2.crt rootCA.crt > > > rootCA_and_all_intermediateCA.pem > > > > $DefaultNetstreamDriver gtls > > $DefaultNetstreamDriverCAFile > > /etc/pki/rsyslog/rootCA_and_all_intermediateCA.pem > > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer.crt > > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key > > > > Best regards, > > Andre Lorbach > > -- > > Adiscon GmbH > > Mozartstr. 21 > > 97950 Großrinderfeld, Germany > > Ph. +49-9349-9298530 > > Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB > > 560610 > > Ust.-IDNr.: DE 81 22 04 622 > > Web: www.adiscon.com - Mail: i...@adiscon.com > > > > Informations regarding your data privacy policy can be found here: > > https://www.adiscon.com/data-privacy-policy/ > > > > This e-mail may contain confidential and/or privileged information. If > > you are not the intended recipient or have received this e-mail in > > error please notify the sender immediately and delete this e-mail. Any > > unauthorized copying, disclosure or distribution of the material in > > this e-mail is strictly forbidden. > > > >> -----Original Message----- > >> From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Roman > >> Möller via rsyslog > >> Sent: Montag, 31. Juli 2023 18:18 > >> To: rsyslog@lists.adiscon.com > >> Cc: Roman Möller <roman.moel...@eviden.com> > >> Subject: [rsyslog] Support for multiple certificate chains (TLS) > >> > >> Hello subscribers, > >> we are using rsyslog with TLS to collect logs transport encrypted > >> from different logsources. > >> The used certificates are generated by our company CA for the rsyslog > >> server but also for the logsources. > >> > >> I have used these setting until now (filename gives hint about > >> content): > >> $DefaultNetstreamDriver gtls > >> $DefaultNetstreamDriverCAFile > >> /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem > >> $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_ > >> intermediateCA-1.crt $DefaultNetstreamDriverKeyFile > >> /etc/pki/rsyslog/rsyslogServer.key > >> > >> And the reception of logs worked pretty well so far. > >> > >> Now we have a new intermediate CA and the certificate chains look > >> like > >> this: > >> +------------+ > >> | Root-CA | > >> +------------+ > >> | > >> +--------------------+--------------------------+ > >> | > >> | > >> v > >> v > >> +--------------------------+ > >> +--------------------------+ > >> | Intermediate CA-1 | | Intermediate CA-2 | > >> +--------------------------+ > >> +--------------------------+ > >> | > >> | > >> v > >> v > >> +-----------------------------------+ > >> +-----------------------------------+ +------------------------------ > >> +-----------------------------------+ +--- > >> +-----------------------------------+ + > >> | Generated the certificate | | Generated certificates | > >> | for the rsyslog Server | | for yet other logsources > >> | > >> | but also for other | > >> +---------------------------------+ > >> | logsources | > >> +-----------------------------------+ > >> > >> Our rsyslog Server is not able to accept syslog-TLS encrypted traffic > >> from logsources which have a certificate from Intermediate CA-2. > >> A test with openssl s_client -connect localhost:6514 shows that the > >> system only accepts certificates which originate from Intermediate > >> CA-1 > >> > >> We are using rsyslogd 8.2102.0-10.el8 (aka 2021.02) at the moment. > >> > >> Is it somehow possible to configure the acceptance of certificates > >> from both Intermediate CAs or is this simply not possible with one > >> instance of rsyslog? > >> > >> Kind regards and thanks in advance, > >> Roman Möller (He/His) > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > >> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
