source-git / rsyslog

Clone
Source Code
GIT

Files

c8 master
  1.   c8
  2.   doc
  3.   tutorials
  4.   tls_cert_errmsgs.html
Blob Blame History Raw 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Error Messages &#8212; rsyslog 8.1911.0 documentation</title>
    <link rel="stylesheet" href="../_static/classic.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/rsyslog.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '8.1911.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Creating certificates with a script" href="tls_cert_script.html" />
    <link rel="prev" title="Setting up the UDP syslog relay" href="tls_cert_udp_relay.html" /> 
  </head>
  <body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="tls_cert_script.html" title="Creating certificates with a script"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="tls_cert_udp_relay.html" title="Setting up the UDP syslog relay"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> &#187;</li>
          <li class="nav-item nav-item-2"><a href="tls_cert_summary.html" accesskey="U">Encrypting Syslog Traffic with TLS (SSL)</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="error-messages">
<h1>Error Messages<a class="headerlink" href="#error-messages" title="Permalink to this headline">¶</a></h1>
<p>This page covers error message you may see when setting up
<a class="reference external" href="http://www.rsyslog.com">rsyslog</a> with TLS. Please note that many of
the message stem back to the TLS library being used. In those cases,
there is not always a good explanation available in rsyslog alone.</p>
<p>A single error typically results in two or more message being emitted:
(at least) one is the actual error cause, followed by usually one
message with additional information (like certificate contents). In a
typical system, these message should immediately follow each other in
your log. Keep in mind that they are reported as syslog.err, so you need
to capture these to actually see errors (the default rsyslog.conf’s
shipped by many systems will do that, recording them e.g. in
/etc/messages).</p>
<div class="section" id="certificate-invalid">
<h2>certificate invalid<a class="headerlink" href="#certificate-invalid" title="Permalink to this headline">¶</a></h2>
<p>Sample:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="ow">not</span> <span class="n">permitted</span> <span class="n">to</span> <span class="n">talk</span> <span class="n">to</span> <span class="n">peer</span><span class="p">,</span> <span class="n">certificate</span> <span class="n">invalid</span><span class="p">:</span> <span class="n">insecure</span> <span class="n">algorithm</span>
</pre></div>
</div>
<p>This message may occur during connection setup. It indicates that the
remote peer’s certificate can not be accepted. The reason for this is
given in the message part that is shown in red. Please note that this
red part directly stems back to the TLS library, so rsyslog does
actually not have any more information about the reason.</p>
<p>With GnuTLS, the following reasons have been seen in practice:</p>
<div class="section" id="insecure-algorithm">
<h3>insecure algorithm<a class="headerlink" href="#insecure-algorithm" title="Permalink to this headline">¶</a></h3>
<p>The certificate contains information on which encryption algorithms are
to be used. This information is entered when the certificate is created.
Some older algorithms are no longer secure and the TLS library does not
accept them. Thus the connection request failed. The cure is to use a
certificate with sufficiently secure algorithms.</p>
<p>Please note that no encryption algorithm is totally secure. It only is
secure based on our current knowledge AND on computing power available.
As computers get more and more powerful, previously secure algorithms
become insecure over time. As such, algorithms considered secure today
may not be accepted by the TLS library in the future.</p>
<p>So in theory, after a system upgrade, a connection request may fail with
the “insecure algorithm” failure without any change in rsyslog
configuration or certificates. This could be caused by a new perception
of the TLS library of what is secure and what not.</p>
</div>
</div>
<div class="section" id="gnutls-error-64">
<h2>GnuTLS error -64<a class="headerlink" href="#gnutls-error-64" title="Permalink to this headline">¶</a></h2>
<p>Sample:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">unexpected</span> <span class="n">GnuTLS</span> <span class="n">error</span> <span class="o">-</span><span class="mi">64</span> <span class="ow">in</span> <span class="n">nsd_gtls</span><span class="o">.</span><span class="n">c</span><span class="p">:</span><span class="mi">517</span><span class="p">:</span> <span class="n">Error</span> <span class="k">while</span> <span class="n">reading</span> <span class="n">file</span><span class="o">.</span>
</pre></div>
</div>
<p>This error points to an encoding error with the pem file in question.
It means “base 64 encoding error”. From my experience, it can be caused
by a couple of things, some of them not obvious:</p>
<ul class="simple">
<li>You specified a wrong file, which is not actually in .pem format</li>
<li>The file was incorrectly generated</li>
<li>I think I have also seen this when I accidentally swapped private key
files and certificate files. So double-check the type of file you are
using.</li>
<li>It may even be a result of an access (permission) problem. In theory,
that should lead to another error, but in practice it sometimes seems
to lead to this -64 error.</li>
</ul>
</div>
<div class="section" id="info-on-invalid-cert">
<h2>info on invalid cert<a class="headerlink" href="#info-on-invalid-cert" title="Permalink to this headline">¶</a></h2>
<p>Sample:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">info</span> <span class="n">on</span> <span class="n">invalid</span> <span class="n">cert</span><span class="p">:</span> <span class="n">peer</span> <span class="n">provided</span> <span class="mi">1</span> <span class="n">certificate</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="o">.</span> <span class="n">Certificate</span> <span class="mi">1</span> <span class="n">info</span><span class="p">:</span> <span class="n">certificate</span> <span class="n">valid</span> <span class="kn">from</span> <span class="nn">Wed</span> <span class="n">Jun</span> <span class="mi">18</span> <span class="mi">11</span><span class="p">:</span><span class="mi">45</span><span class="p">:</span><span class="mi">44</span> <span class="mi">2008</span> <span class="n">to</span> <span class="n">Sat</span> <span class="n">Jun</span> <span class="mi">16</span> <span class="mi">11</span><span class="p">:</span><span class="mi">45</span><span class="p">:</span><span class="mi">53</span> <span class="mi">2018</span><span class="p">;</span> <span class="n">Certificate</span> <span class="n">public</span> <span class="n">key</span><span class="p">:</span> <span class="n">RSA</span><span class="p">;</span> <span class="n">DN</span><span class="p">:</span> <span class="n">C</span><span class="o">=</span><span class="n">US</span><span class="p">,</span><span class="n">O</span><span class="o">=</span><span class="n">Sample</span> <span class="n">Corp</span><span class="p">,</span><span class="n">OU</span><span class="o">=</span><span class="n">Certs</span><span class="p">,</span><span class="n">L</span><span class="o">=</span><span class="n">Somewhere</span><span class="p">,</span><span class="n">ST</span><span class="o">=</span><span class="n">CA</span><span class="p">,</span><span class="n">CN</span><span class="o">=</span><span class="n">somename</span><span class="p">;</span> <span class="n">Issuer</span> <span class="n">DN</span><span class="p">:</span> <span class="n">C</span><span class="o">=</span><span class="n">US</span><span class="p">,</span><span class="n">O</span><span class="o">=</span><span class="n">Sample</span> <span class="n">Corp</span><span class="p">,</span><span class="n">OU</span><span class="o">=</span><span class="n">Certs</span><span class="p">,</span><span class="n">L</span><span class="o">=</span><span class="n">Somewhere</span><span class="p">,</span><span class="n">ST</span><span class="o">=</span><span class="n">CA</span><span class="p">,</span><span class="n">CN</span><span class="o">=</span><span class="n">somename</span><span class="p">,</span><span class="n">EMAIL</span><span class="o">=</span><span class="n">xxx</span><span class="nd">@example</span><span class="o">.</span><span class="n">com</span><span class="p">;</span> <span class="n">SAN</span><span class="p">:</span><span class="n">DNSname</span><span class="p">:</span> <span class="n">machine</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="p">;</span>
</pre></div>
</div>
<p>This is <strong>not</strong> an error message in itself. It always follows the actual
error message and tells you what is seen in the peer’s certificate. This
is done to give you a chance to evaluate the certificate and better
understand why the initial error message was issued.</p>
<p>Please note that you can NOT diagnose problems based on this message
alone. It follows in a number of error cases and does not pinpoint any
problems by itself.</p>
</div>
<div class="section" id="invalid-peer-name">
<h2>invalid peer name<a class="headerlink" href="#invalid-peer-name" title="Permalink to this headline">¶</a></h2>
<p>Sample:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># sender error</span>
<span class="n">error</span><span class="p">:</span> <span class="n">peer</span> <span class="n">name</span> <span class="ow">not</span> <span class="n">authorized</span> <span class="o">-</span>  <span class="ow">not</span> <span class="n">permitted</span> <span class="n">to</span> <span class="n">talk</span> <span class="n">to</span> <span class="n">it</span><span class="o">.</span> <span class="n">Names</span><span class="p">:</span> <span class="n">DNSname</span><span class="p">:</span> <span class="n">syslog</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">;</span> <span class="n">CN</span><span class="p">:</span> <span class="n">syslog</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">;</span>

<span class="c1"># receiver error</span>
<span class="n">unexpected</span> <span class="n">GnuTLS</span> <span class="n">error</span> <span class="o">-</span><span class="mi">110</span> <span class="ow">in</span> <span class="n">nsd_gtls</span><span class="o">.</span><span class="n">c</span><span class="p">:</span><span class="mi">536</span><span class="p">:</span> <span class="n">The</span> <span class="n">TLS</span> <span class="n">connection</span> <span class="n">was</span> <span class="n">non</span><span class="o">-</span><span class="n">properly</span> <span class="n">terminated</span><span class="o">.</span>
<span class="n">netstream</span> <span class="n">session</span> <span class="mh">0x7fee240ef650</span> <span class="kn">from</span> <span class="nn">X.X.X.X</span> <span class="n">will</span> <span class="n">be</span> <span class="n">closed</span> <span class="n">due</span> <span class="n">to</span> <span class="n">error</span>
</pre></div>
</div>
<p>This error is caused by the Subject Alternative Name or Common Name on the receivers certificate not matching any StreamDriverPermittedPeers (RainerScript) / $ActionSendStreamDriverPermittedPeers (Legacy Rsyslog). Either we need to update this parameter with the correct domain name / appropriate wildcard or change the AuthMode of the Stream Driver to be less strict (be sure to carefully read the documentation and understand the implications before taking this route).</p>
<p>The receiver error is fairly generic and comes from the upstream GnuTLS library, because the sender has decided it’s not authorized to talk to the remote peer over TLS it tears down the connection before any records are sent, this is treated as a premature termination by the library and it returns the given error.</p>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Help with configuring/using <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li><a class="reference external" href="http://lists.adiscon.net/mailman/listinfo/rsyslog">Mailing list</a> - best route for general questions</li>
<li>GitHub: <a class="reference external" href="https://github.com/rsyslog/rsyslog/">rsyslog source project</a> - detailed questions, reporting issues
that are believed to be bugs with <code class="docutils literal"><span class="pre">Rsyslog</span></code></li>
<li>Stack Exchange (<a class="reference external" href="https://stackexchange.com/filters/327462/rsyslog">View</a>, <a class="reference external" href="https://serverfault.com/questions/ask?tags=rsyslog">Ask</a>)
- experimental support from rsyslog community</li>
</ul>
</div>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Contributing to <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li>Source project: <a class="reference external" href="https://github.com/rsyslog/rsyslog/blob/master/README.md">rsyslog project README</a>.</li>
<li>Documentation: <a class="reference external" href="https://github.com/rsyslog/rsyslog-doc/blob/master/README.md">rsyslog-doc project README</a></li>
</ul>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Error Messages</a><ul>
<li><a class="reference internal" href="#certificate-invalid">certificate invalid</a><ul>
<li><a class="reference internal" href="#insecure-algorithm">insecure algorithm</a></li>
</ul>
</li>
<li><a class="reference internal" href="#gnutls-error-64">GnuTLS error -64</a></li>
<li><a class="reference internal" href="#info-on-invalid-cert">info on invalid cert</a></li>
<li><a class="reference internal" href="#invalid-peer-name">invalid peer name</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="tls_cert_udp_relay.html"
                        title="previous chapter">Setting up the UDP syslog relay</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="tls_cert_script.html"
                        title="next chapter">Creating certificates with a script</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/tutorials/tls_cert_errmsgs.rst.txt"
           rel="nofollow">Show Source</a></li>
    <li><a href="https://github.com/rsyslog/rsyslog-doc/edit/master/source/tutorials/tls_cert_errmsgs.rst"
           rel="nofollow">Edit on GitHub</a></li>
  </ul>

<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="tls_cert_script.html" title="Creating certificates with a script"
             >next</a> |</li>
        <li class="right" >
          <a href="tls_cert_udp_relay.html" title="Setting up the UDP syslog relay"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> &#187;</li>
          <li class="nav-item nav-item-2"><a href="tls_cert_summary.html" >Encrypting Syslog Traffic with TLS (SSL)</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2008-2019, `Rainer Gerhards and Others.
    </div>
  </body>
</html>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation