rsyslog: peer name not authorized - not permitted to talk to it

Trying to configure an rsyslog central server with TLS turned on. It's been a struggle so far, but I'm almost there. Currently getting this error:

rsyslogd: error: peer name not authorized -  not permitted to talk to
it. Names:  [v8.27.0 try http://www.rsyslog.com/e/2088 ]  
rsyslogd: netstream session 0x7fda34010110 from 10.0.4.91 will be closed due to
error  [v8.27.0 try http://www.rsyslog.com/e/2089 ]

But I specifically put that IP into InputTCPServerStreamDriverPermittedPeer. What could be wrong? I can't get past this error. Validated my configuration is OK with

# rsyslogd -N1
rsyslogd: version 8.27.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

My Config with a few things stripped:

$ModLoad imuxsock # local messages

$ModLoad imtcp # TCP listener  

$ModLoad imjournal # provides access to the systemd journal

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem 

$DefaultNetstreamDriverCertFile /etc/rsyslog.d/machine-cert.pem 

$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/machine-key.pem 

$InputTCPServerStreamDriverAuthMode x509/name

$InputTCPServerStreamDriverPermittedPeer 10.0.4.91

$InputTCPServerStreamDriverMode 1 #run driver in TLS-only mode

$InputTCPServerRun 10514 #start up listener at port 10514

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

Solution 1:

Turns out that the client was supplying an untrusted certificate.

Steps to figure this out:

  1. On client, run: openssl s_client -connect :10514 and remediate any errors

  2. on server, run: openssl s_client -connect :10514

  3. in rsyslogd.conf, switch: $InputTCPServerStreamDriverAuthMode x509/name to $InputTCPServerStreamDriverAuthMode anon that allows any client to connect without authorizing the client. This ought to allow events to be submitted.

This narrowed it down to a client cert issue.