Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS with selfsigned certificate #44

Open
mreiger opened this issue Jun 11, 2021 · 2 comments
Open

TLS with selfsigned certificate #44

mreiger opened this issue Jun 11, 2021 · 2 comments

Comments

@mreiger
Copy link

mreiger commented Jun 11, 2021

Hi I am trying to use this plugin (via the fluentd kubernetes daemonset Debian syslog docker image, which as far as I can tell uses this plugin for output.)

I need to use TLS encryption and the syslog receiver uses a selfsigned certificate. Therefore I tried to disable certificate verification with the verify_mode paramter; however I still get a verification error and no connection.

This is my output configuration:

  <label @OUTPUT>
    <match **>
      @type remote_syslog
      host "syslogserver"
      port 12555
      protocol tcp
      tls true
      verify_mode 0
      packet_size 65535
      <buffer>
        retry_max_interval 300
      </buffer>
      <format>
        @type "json"
      </format>
    </match>
  </label>

Name matching is done via /etc/hosts (through Kubernetes hostAliases) entry.

The selfsigned certificate has "syslogserver" both as issuer and subject CN; but this should not matter since I try to disable certificate verification anyway.

The error message I get is:

2021-06-11 17:41:49 +0000 [warn]: #0 failed to flush the buffer. retry_time=0 next_retry_seconds=2021-06-11 17:41:50 +0000 chunk="5c48105438fdcf12caab52270b36345b" error_class=RuntimeError error="verification error"
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:73:in `block in connect'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:52:in `synchronize'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:52:in `connect'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:38:in `initialize'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:136:in `new'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:136:in `create_sender'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:91:in `write'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:1133:in `try_flush'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:1439:in `flush_thread_run'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:461:in `block (2 levels) in start'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin_helper/thread.rb:78:in `block in thread_create'

I also tried other values for verify_mode after some searching:

  • none
  • OpenSSL::SSL::VERIFY_NONE

but the result - and the error message - is the same.

Can you advise me what the correct use of the parameter is?
@mreiger
Copy link
Author

mreiger commented Jun 14, 2021

Update: Using the selfsigned certificate as CA certificate (Parameter ca_file) works.

Still, it is not clear to me how the verify_mode parameter is supposed to work. Can anyone clarify?

@satish-suradkar
Copy link

satish-suradkar commented May 26, 2022
edited

Hi @mreiger

I have cerated self signed CA certificate. Created Server certificate and signed that with the CA.

Syslog server config ->

$ModLoad imtcp
$InputTCPServerRun 1514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon

#Make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
#
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server-key.pem

Fluentd COnfig


<match *.*>
         @type remote_syslog
         host <syslogsrver-hostname>
         port 1514
         protocol tcp
         tls true
         ca_file /etc/rsyslog-keys-my-ss/ca.pem
  </match>

getting err --> error="verification error"


2022-05-25 12:45:24 +0000 [warn]: #0 failed to flush the buffer. retry_time=11 next_retry_seconds=2022-05-25 13:04:30 +0000 chunk="5dfd52f20e6fd2d95309fb4f32b59316" error_class=RuntimeError error="verification error"
 2022-05-25 12:45:24 +0000 [warn]: #0 suppressed same stacktrace
2022-05-25 13:04:34 +0000 [warn]: #0 failed to flush the buffer. retry_time=12 next_retry_seconds=2022-05-25 13:41:59 +0000 chunk="5dfd52f20e6fd2d95309fb4f32b59316" error_class=RuntimeError error="verification error"
 2022-05-25 13:04:34 +0000 [warn]: #0 suppressed same stacktrace

Could you please suggest what i'm missing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@satish-suradkar @mreiger