Messages

Well, this is fixed. By concatenating the CA cert and the intermediate cert into the OPNsense CA trust store then I can send my logs to my central log server.

For what its worth, then if I try to verify a leaf certificate + intermediate cert against a CA cert (using openssl verify) then I get a failure. If I try to verify a leaf certificate against an intermeditate cert + CA cert then I succeed. Syslog-ng must be doing something similar, but gnutls (which I use in rsyslog) must be doing something else.

Ah, the certificate that I upload into Trust's CA needs to contain the intermediate certificate also.

Hi, I have a CA that I manage myself outside of OPNsense. I have issued a certificate for my OPNsense firewall and I would like to use that to send logs from OPNsense to my central logserver using TLS.
I can go into System, Settings, Logging, Remote and set everything there up (before that I have imported the certificate to be used into the Trust store). But each time OPNsense tries to send a log to my logserver this appears in OPNsenses local logs

Code Select Expand

Notice syslog-ng Syslog connection broken; fd='33', server='AF_INET($REDACTED_IP)', time_reopen='60'
Error syslog-ng I/O error occurred while writing; fd='33', error='Broken pipe (32)'
Error syslog-ng SSL error while writing stream; tls_error='error:0A000086:SSL routines::certificate verify failed', location='/usr/local/etc/syslog-ng.conf.d/syslog-ng-destinations.conf:12:9'
Error syslog-ng Certificate validation failed; ...$REDACTED CERTIFICATE INFO ... error='unable to get local issuer certificate', depth='1'
Notice syslog-ng Syslog connection established; fd='33', server='AF_INET($REDACTED_IP)', local='AF_INET(0.0.0.0:0)'
As I understand it then this means that syslog-ng does not trust the certificate on the other end.
That certificate is signed by my CA, so if I upload my CA to OPNsense then syslog-ng should trust it right?
But how do I upload my CA without giving it my key?

I tried going into Trust, Authorities and upload my self signed certificate. I selected "Import an existing Certificate Authority", gave it a description and pasted my public certificate into the Certificate Data field, leaving the Private key data field empty.

This does not help it seems.

Any ideas on what I am doing wrong?

I have been struggling with this for some days now.
I have a e610 xt4 cards and have been able to compile the official driver from Intel, move the .ko file into /boot/modules (like is explained at thread https://forum.opnsense.org/index.php?topic=21517.msg101148#msg101148) and gotten the driver to sort of work.
I do see the ports of the card in ifconfig but when I attach a cable to it then ifconfig always shows status as "no carrier".
I named my driver something like if_ix_updated.ko and that is the driver being shown in the output of kldstat. Also at close to the top of dmesg I see a message about not being able to load if_ix.ko since if_ix_updated.ko is already loaded, so seems that my driver takes precedence over the inbuilt driver.
But I am wondering if the Intel driver is causing me problems because the kernel expects the builtin if_ix driver but gets an external one from Intel instead? Does that mean I *have* to recompile the kernel and exclude the if_ix driver from it?