Thanks David
it was a directory and files permission issue
So in the directory containing my ca, client certificate and private keys
file
chown root:syslog *.pem
chmod 640 *.pem
And then the containing directory
chown root:syslog /etc/<path to directory>
chmod 750 /etc/<path to directory>
followed by
systemctl restart rsyslog
And it appears to be connecting correctly and transferring logs
And for the output part of the rsyslog.conf file
# start of the omrelp configuration
module (load="omrelp" tls.tlslib="openssl")
ruleset( name="to_remote_relp_tls" )
{
action( type="omrelp"
target = "<IP or FQDN of rsyslog server>"
port = "<destination port>"
# and queue to disk if needs be
queue.filename="relp_tls_fwd"
queue.type="LinkedList"
queue.saveonshutdown="on"
queue.maxdiskspace="1g"
action.resumeretrycount="-1"
action.reportsuspension="on"
# and send over encrypted link always
tls="on"
# currently rsyslog cannot provide intermediates from server end
# so we need the full chain wherever validation is required
tls.cacert = "/etc/pki/tls/syslog/ca.pem"
tls.mycert = "/etc/pki/tls/syslog/cert.pem"
tls.myprivkey = "/etc/pki/tls/syslog/key.pem"
# tls.authmode="x509/name"
tls.authmode="name"
tls.permittedpeer=["<IP or FQDN of destination server>"]
)
}
call to_remote_relp_tls
# end of omrelp configuration
Garry
On Mon, Feb 5, 2024 at 4:42 PM David Lang <da...@lang.hm> wrote:
> The error is very clear that rsyslog is not able to read the file, so
> either you
> have the wrong path, or there is a permission problem
> (classic/apparmor/selinux
> permissions)
>
> If you enable debug logging and capture that, you can go through it
> looking for
> the error message and see exactly what it's trying to access (to make sure
> it's
> trying to access what you think it is)
>
> David Lang
>
>
> On Mon, 5 Feb 2024, Garry Allen wrote:
>
> > Thanks David
> > I have tried running it with ryslogd -n as root but it gives the same
> error
> > message. I made sure before running it that the rsyslog service and the
> > syslog socket were stopped but it gives the same error. I should also say
> > that I have switched to openssl when the omrelp module is loaded. It
> > appears to be very similar to this question asked on stackoverflow at the
> > start of January
> > ubuntu with syslog with TLS and RELP certificate error
> > <
> https://stackoverflow.com/questions/77771294/syslog-with-tls-and-relp-certificate-error-issues
> >
> > Garry
> >
> >
> > On Mon, Feb 5, 2024 at 3:49 PM David Lang <da...@lang.hm> wrote:
> >
> >> on many systems, the permissions of a program started at boot are no
> >> longer
> >> simple root (systemd is being configured to to retrict the programs
> >> significantly
> >>
> >> So I would suggest that you try starting rsyslog as root manually and
> see
> >> if
> >> that avoids this error message. If so, then it's a difference in the
> >> permissions
> >> when run as root vs when started at boot.
> >>
> >> David Lang
> >>
> >> On Mon, 5 Feb 2024, Garry Allen via rsyslog wrote:
> >>
> >>> I am trying to get Ubuntu 22.04 rsyslog clients to connect to a Red Hat
> >> 8.8
> >>> rsyslog server using RELP over TLS. The Red Hat server has been
> >> configured
> >>> using the guidelines supplied by Red Hat. Both client and server have
> >>> certificates issued by a common certificate authority.. The Ubuntu
> client
> >>> is running apparmor. However the local apparmor config for rsyslog has
> >> been
> >>> updated to include the client certificate path with the root permission
> >> set
> >>> to r in the apparmor config.
> >>> I can do an openssl s_client -connect to the rsyslog server with the
> >>> CAfile, client certificate and key for the rsyslog client. When I
> attempt
> >>> to start the rsyslog service I am getting
> >>> "omrelp[server-FQDN:server port} error 'relpTcpInitTLS: Error CA
> >>> certificate could not be accessed. Is the file at the right path ? And
> do
> >>> we have the permissions?....."
> >>>
> >>> I have tried putting apparmor into complain mode and stopping the
> >> apparmor
> >>> service altogether. Neither had any effect.
> >>> Is it something to do with the hostname and subjectAltName. The machine
> >>> does have a FQDN rather than a short hostname but it looks like the
> >>> hostname used by rsyslog is the short Ubuntu hostname. Im looking for
> >>> suggestions.
> >>> thanks
> >>> Garry
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
