Just about every guide I have seen for using TLS with rsyslog involves generating a self signed cert and using that. If the boxes are already set up with a legit signed cert how do you set up the client and server to simply use that?
Asked
Active
Viewed 1.0k times
2 Answers
4
There's no big difference to setting this up if your cert is "legit". A widely trusted certificate is characterized by having its trust anchor (aka the root or CA certificate) seeded in the OS's or browser's trust store.
Assume you have server.example.com.key and server.example.com.csr. Your CA sends you back your certificate, server.example.com.crt, and everything that leads up to your cert if the chain of trust, e.g. ca.crt, intermediate1.crt, intermediate2.crt or all certs concatenated in one as chain.crt. Some goes for client.crt and client.key. client.crt has the same trust chain as the server's certificate.
The big difference to a self signed cert in setting this up is that you might have to include intermediate certificates on the CA file. If the intermediates are present in your system's truststore, all you have to do is to point rsyslog there (/etc/ssl/certs/ca-certificates.crt on Ubuntu, YMMV)
The docs (here, here and here) sum up nicely how to set up TLS:
The server config is done like this:
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /path/to/chain.crt
$DefaultNetstreamDriverCertFile /path/to/server.example.com.crt
$DefaultNetstreamDriverKeyFile /path/to/server.example.com.key
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.com
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514
The client's config should look like this:
# certificate files
$DefaultNetstreamDriverCAFile /path/to/chain.crt
$DefaultNetstreamDriverCertFile /path/to/client.crt
$DefaultNetstreamDriverKeyFile /path/to/client.key
# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer server.example.com
*.* @@(o)server.example.com:10514 # send (all) messages
fuero
- 9,591
- 1
- 35
- 40
-
1The earlier anon config for not verifying clients was actually useful for me. – Greg Domjan Aug 05 '15 at 20:17
0
If you have your own legit certificates:
mycompany.ca
mycompany.crt
mycompany.key
On the server:
Uncomment:
$ModLoad imtcp
Add:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/mycompany.ca
$DefaultNetstreamDriverCertFile /etc/ssl/certs/mycompany.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/certs/mycompany.key
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 10514
On the client:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/mycompany.ca
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.mycompany.com
$ActionSendStreamDriverMode 1
*.* @@rsyslog_server.mycompany.com:10514 (or ip)
Restart syslog
To test the results on the server run:
sudo tcpdump -i eth0 tcp port 10514 -X -s 0 -nn
Verify Selinux, The certs path, The certs expiration date and permissions.
MadHatter
- 79,770
- 20
- 184
- 232
Alejandro T
- 171
- 2
- 4