TLS client auth, still got error

grefabu · February 6, 2025, 5:39pm

Hi,

second try to create a toppic:

I setup an gralog server on debian base with repository installation, not docker.
I managed it to get input and play a bit with dasjbords and alerts.
Now I want to secure input with TLS, but still get following error in the graylog log when enable * tls_client_auth: requiered, but now what I’ve done:

We’ve an own CA working
Generate certs and keys for server and client from the same CA
Secury graylog frontend access with an apache Proxy → works
Setup an TCP syslog Input with TLS:

allow_override_date: true
bind_address: 0.0.0.0
charset_name: UTF-8
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 5140
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
timezone: NotSet
tls_cert_file: /etc/ssl/certs/meddv-log001.mdv.local.crt
tls_client_auth: disabled
tls_client_auth_cert_file: /etc/ssl/certs/meddv_internal_root_certification_authory.pem
tls_enable: true
tls_key_file: /etc/ssl/private/meddv-log001.mdv.local.key
tls_key_password: *******
use_null_delimiter: false

Setup rsyslog with following settings:

root@meddv-cmdb:~# cat /etc/rsyslog.d/tls.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/meddv_internal_root_certification_authority.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/meddv-cmdb.mdv.local_fullchain.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/meddv-cmdb.mdv.local.pem
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#$ActionSendStreamDriverAuthMode anon
root@meddv-cmdb:~# cat /etc/rsyslog.d/meddv-log001.conf
#*.* @@meddv-log001.mdv.local:5140;RSYSLOG_SyslogProtocol23Format
*.* action(
  type="omfwd"
  target="meddv-log001.mdv.local"
  port="5140"
  protocol="tcp"
  KeepAlive="on"
  KeepAlive.Interval="30"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/name"
  ResendLastMSGOnReconnect="on"
  queue.filename="fwdRule1"  # unique name prefix for spool files
  queue.type="LinkedList"
  queue.maxDiskSpace="256m"
  queue.saveOnShutdown="on"
  action.resumeRetryCount="-1"
  action.resumeInterval="30"
)

Test the connection → I got still input
Set tls_client_auth: required

Now I got the above given error.

Thank you for any help in advantage

Bye

Gregor

Wine_Merchant · February 10, 2025, 11:32am

Hey @grefabu,

Could you try including the client cert within the folder for the tls_client_auth_cert_file: option

frantz · February 12, 2025, 3:05pm

Did you include the CA in the Graylog Java TrustStore ?
(Graylog needs to validate the client certificate, and there is no CA setting in the input)

Topic		Replies	Views
TLS Client auth New to Graylog Community? READ-ME FIRST Guides	2	38	January 6, 2025
Graylog TLS Input setup questions Graylog Central (peer support)	1	265	March 6, 2024
Setting up TLS Client Auth Trusted Cert for Graylog Input Graylog Central (peer support)	1	2368	June 23, 2017
TLS for an Input Graylog Central (peer support)	3	539	May 25, 2024
Syslog TLS Input CERTIFICATE_UNKNOWN Graylog Central (peer support)	2	854	March 4, 2021

TLS client auth, still got error

Related topics