rsyslog: peer name not authorized - not permitted to talk to it
Trying to configure an rsyslog central server with TLS turned on. It's been a struggle so far, but I'm almost there. Currently getting this error:
rsyslogd: error: peer name not authorized - not permitted to talk to
it. Names: [v8.27.0 try http://www.rsyslog.com/e/2088 ]
rsyslogd: netstream session 0x7fda34010110 from 10.0.4.91 will be closed due to
error [v8.27.0 try http://www.rsyslog.com/e/2089 ]
But I specifically put that IP into InputTCPServerStreamDriverPermittedPeer. What could be wrong? I can't get past this error. Validated my configuration is OK with
# rsyslogd -N1
rsyslogd: version 8.27.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
My Config with a few things stripped:
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
$ModLoad imjournal # provides access to the systemd journal
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/machine-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/machine-key.pem
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 10.0.4.91
$InputTCPServerStreamDriverMode 1 #run driver in TLS-only mode
$InputTCPServerRun 10514 #start up listener at port 10514
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Solution 1:
Turns out that the client was supplying an untrusted certificate.
Steps to figure this out:
On client, run: openssl s_client -connect :10514 and remediate any errors
on server, run: openssl s_client -connect :10514
in rsyslogd.conf, switch: $InputTCPServerStreamDriverAuthMode x509/name to $InputTCPServerStreamDriverAuthMode anon that allows any client to connect without authorizing the client. This ought to allow events to be submitted.
This narrowed it down to a client cert issue.