Bug 2124849

Summary: [RHEL9] Fix Intermediate Certificate Chains in rsyslog when using ossl driver
Product: Red Hat Enterprise Linux 9 Reporter: Sergio Arroutbi <sarroutb>
Component: rsyslogAssignee: Sergio Arroutbi <sarroutb>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 9.2CC: dapospis, mjahoda, pasik, rsroka
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 9.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rsyslog-8.2102.0-106.el9 Doc Type: Enhancement
Doc Text:
.Rsyslog TLS-encrypted logging now supports multiple CA files With the new `NetstreamDriverCaExtraFiles` directive, you can specify a list of additional certificate authority (CA) files for TLS-encrypted remote logging. Note that the new directive is available only for the `ossl` (OpenSSL) Rsyslog network stream driver.
 Story Points: ---
Clone Of:
: 2124934 (view as bug list) Environment:
Last Closed: 2023-05-09 07:44:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2124934    

Description Sergio Arroutbi 2022-09-07 09:23:11 UTC 
Description of problem:
rsyslog upstream project has been updated with change to provide additional CA files so that Certificate Chains work appropriately when using OSSL driver.
In particular, change is next: https://github.com/rsyslog/rsyslog/pull/4889
This change should be backported to RHEL9.

Version-Release number of selected component (if applicable):
rsyslog-8.2102.0-105

How reproducible:
Load a configuration with chain certificate files involved, such as:
module(
    load="imtcp"
    StreamDriver.AuthMode="x509/name"
...
    StreamDriver.Name="ossl"
)
input(type="imtcp" Port="6514")
...
global(
    DefaultNetstreamDriver="ossl"
    DefaultNetstreamDriverCAFile="/etc/rsyslogd.d/ca-cert.pem"
    DefaultNetstreamDriverCertFile="/etc/rsyslogd.d/server-cert.pem"
    DefaultNetstreamDriverKeyFile="/etc/rsyslogd.d/server-key.pem"
)
...
When rsyslog is started up, issue: "verify error:num=2:unable to get issuer certificate" is observed in logs. This is because rsyslog version in RHEL9 does not contain appropriate change that allows to specify the ca-root-cert.pem certificate.

Steps to Reproduce:
1. Apply previous configuration
2. Start rsyslog
3. Check logs from rsyslog

Actual results:
rsyslog ossl driver fails on startup

Expected results:
rsyslog ossl driver should not fail on startup. For this fail not to happen, rsyslog RHEL9 version must contain the appropriate changes to handle new configuration option NetstreamDriverCAExtraFiles (https://github.com/rsyslog/rsyslog/pull/4889). Once this is configuration option is handled by rsyslog, an application like this can be applied:
module(
    load="imtcp"
    StreamDriver.AuthMode="x509/name"
...
    StreamDriver.Name="ossl"
)
input(type="imtcp" Port="6514")
...
global(
    DefaultNetstreamDriver="ossl"
    DefaultNetstreamDriverCAFile="/etc/rsyslogd.d/ca-cert.pem"
    DefaultNetstreamDriverCertFile="/etc/rsyslogd.d/server-cert.pem"
    DefaultNetstreamDriverKeyFile="/etc/rsyslogd.d/server-key.pem"
    NetstreamDriverCAExtraFiles="/etc/rsyslogd.d/ca-root-cert.pem"
)
...
Application of previous configuration together with backport of the change in upstream handling OpenSSL configuration will enable chain certificate handling with ossl driver in rsyslog

Additional info:
Comment 2 Attila Lakatos 2022-10-17 07:14:12 UTC 
*** Bug 2065764 has been marked as a duplicate of this bug. ***
Comment 14 Sergio Arroutbi 2023-03-28 09:49:08 UTC 
Hello @mjahoda. Change LGTM.

Thanks
Comment 16 errata-xmlrpc 2023-05-09 07:44:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rsyslog bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2303