rsyslog with gnutls configured is not able to receive messages
Environment
- Red Hat Enterprise Linux 6 (RHEL)
- Red Hat Enterprise Linux 7
- rsyslog
- rsyslog-gnutls
Issue
- When logging from a client to the server, around 50% of the time the following error appears:
rsyslogd: netstream session 0x7fe884008790 will be closed due to error
[try http://www.rsyslog.com/e/2089 ]
- Running the server daemon in debug mode shows the following:
7431.150695464:7fe8927f3700: unexpected GnuTLS error -59 in nsdsel_gtls.c:166: GnuTLS internal error.
7431.150723585:7fe8927f3700: XXXXXX: doRetry: iRet -2078, pNsd->bAbortConn 1
7431.150740983:7fe8927f3700: netstream 0x7fe884008790 with new data
7431.150748990:7fe8927f3700: gtlsRcv return. nsd 0x7fe884001d90, iRet -2089, lenRcvBuf 0, ptrRcvBuf 0
7431.150764502:7fe8927f3700: Called LogError, msg: netstream session 0x7fe884008790 will be closed due to error
Resolution
- On the
rsyslogserver, replace$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/ca-bundle.crtwith a singleCAcertificate file (e.g. $DefaultNetstreamDriverCAFile /etc/certs/ca/ca.pem`).
Root Cause
- Using a
CAcertificate bundle on thersyslogserver to correctly handle the certificate chain of trust is not recommended and might not work. - The reasoning behind this, is because of security and general usability concerns:
- The
CAfile is serving 2 roles in this example. One is the assertion of the signing chain for the server cert (which is why theCAand cert file should not be the same) - The other being the list of
CAswhich the server would accept client certs of and assume as valid
- The
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
