Hi Stuart,
On 09/10/2023 23:01, Stuart Henderson wrote:
> any chance you previously had added certs to /etc/ssl/cert.pem but lost
> that when upgrading?
>
I always readd the ca.crt used to sign the client certs to
/etc/ssl/cert.pem and distribute the file at upgrade via siteXX.tgz
>> It's hard to tell the exact cause of your problem since you do not provice crucial
>> data such as any error messages that would appear in a log somewhere.
> if there's nothing useful from syslogd, try connecting with nc -vvc
> on the relevant machines too. (there was no relevant change to syslogd
> since 7.3. there were changes to the various TLS libs but they should
> affect nc as well and errors maybe easier to see there).
There is stuff from syslog (my other post took ages to reach the mailing
list:
on the server:
Oct 9 23:09:30 loghost syslogd[96442]: tls logger "192.168.0.14:35359"
connection error: handshake failed: error:14039418:SSL
routines:ACCEPT_SR_CERT_VRFY:tlsv1 alert unknown ca
on the client:
Oct 9 23:09:02 builder syslogd[71166]: loghost
"@tls4://loghost.domain.local" connection error: certificate
verification failed: self signed certificate in certificate chain
# nc -vvc loghost.domain.local 6514
Connection to loghost.domain.local (192.168.0.30) 6514 port
[tcp/syslog-tls] succeeded!
nc: tls handshake failed (certificate verification failed: self signed
certificate in certificate chain)
>> We also do not know much about your configuration or what requirements the setup
>> is supposed to fill. But sure, in quite a number of situations auto-reneweing
>> Let's Encrypt certificates would be a serviceable solution.
> using self-signed certs and requiring a specific cert (via syslogd's
> -C option) is certainly a valid configuration too.
>
I'm going to give -C a go, it might be easier than adding the cert to
/etc/ssl/cert.pem
Thanks for the suggestions and confirming syslogd hadn't changed, maybe
it's the TLS stuff. I need to check the hashes for /etc/ssl/ca.crt as well.
Cheers,
Noth
No comments:
Post a Comment