Hi, I have a CA that I manage myself outside of OPNsense. I have issued a certificate for my OPNsense firewall and I would like to use that to send logs from OPNsense to my central logserver using TLS.
I can go into System, Settings, Logging, Remote and set everything there up (before that I have imported the certificate to be used into the Trust store). But each time OPNsense tries to send a log to my logserver this appears in OPNsenses local logs
Notice syslog-ng Syslog connection broken; fd='33', server='AF_INET($REDACTED_IP)', time_reopen='60'
Error syslog-ng I/O error occurred while writing; fd='33', error='Broken pipe (32)'
Error syslog-ng SSL error while writing stream; tls_error='error:0A000086:SSL routines::certificate verify failed', location='/usr/local/etc/syslog-ng.conf.d/syslog-ng-destinations.conf:12:9'
Error syslog-ng Certificate validation failed; ...$REDACTED CERTIFICATE INFO ... error='unable to get local issuer certificate', depth='1'
Notice syslog-ng Syslog connection established; fd='33', server='AF_INET($REDACTED_IP)', local='AF_INET(0.0.0.0:0)'
As I understand it then this means that syslog-ng does not trust the certificate on the other end.
That certificate is signed by my CA, so if I upload my CA to OPNsense then syslog-ng should trust it right?
But how do I upload my CA without giving it my key?
I tried going into Trust, Authorities and upload my self signed certificate. I selected "Import an existing Certificate Authority", gave it a description and pasted my public certificate into the Certificate Data field, leaving the Private key data field empty.
This does not help it seems.
Any ideas on what I am doing wrong?
You can upload the CA to "System - Trust - Authorities", just paste the certificate in, leave the key empty.
EDIT: Oops you already did that. But that should work since syslog-ng uses the system trust store.
Ah, the certificate that I upload into Trust's CA needs to contain the intermediate certificate also.
Oh yeah if its multiple issuers in a chain that's needed for trust.
https://docs.opnsense.org/manual/how-tos/self-signed-chain.html
Intermediates on the client side are not the best idea. Ideally your server should provide the full chain and the client only the root certificate. If that's not possible you'll have to go with what you have.
Cheers,
Franco
Well, this is fixed. By concatenating the CA cert and the intermediate cert into the OPNsense CA trust store then I can send my logs to my central log server.
For what its worth, then if I try to verify a leaf certificate + intermediate cert against a CA cert (using openssl verify) then I get a failure. If I try to verify a leaf certificate against an intermeditate cert + CA cert then I succeed. Syslog-ng must be doing something similar, but gnutls (which I use in rsyslog) must be doing something else.