error: peer name not authorized - not permitted

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


error: peer name not authorized - not permitted

Postby kornjack » Thu Sep 07, 2017 5:32 pm

Hello all,

I'm trying to setup a TLS connection internally using a valid cert issued to us by a CA. I am receiving the following error and have read the post on this site regarding this issue. None of the recommendations on the older post have been successful. Here is a short clip of the debug log. I am using a wild card certificate from a valid CA. Any help is appreciated, thanks in advance.

Sep 7 12:01:01 centralserver rsyslogd: error: peer name not authorized - not permitted to talk to it. Names: DNSname: *.xyzcorp.com; DNSname: xyzcorp.com; CN: *.xyzcorp.com; [v8.24.0
Sep 7 12:01:01 centralserver rsyslogd: netstream session 0x7f33c0013610 from 172.16.150.49 will be closed due to error
Sep 7 12:08:53 centralserver kernel: blk_update_request: I/O error, dev fd0, sector 0
Sep 7 12:08:56 centralserver puppet-agent[674]: (/Stage[main]/Rhn_check/Exec[rhn_check]/returns) executed successfully
Sep 7 12:08:57 centralserver puppet-agent[674]: (/Stage[main]/Rhn_check/Exec[rhn_check2]/returns) executed successfully
Sep 7 12:08:58 centralserver puppet-agent[674]: Applied catalog in 2.95 seconds
Sep 7 12:11:40 centralserver rsyslogd: error: peer name not authorized - not permitted to talk to it. Names: DNSname: *.xyzcorp.com; DNSname: xyzcorp.com; CN: *.xyzcorp.com; [v8.24.0
Sep 7 12:11:40 centralserver rsyslogd: netstream session 0x7f33c0006fa0 from 172.16.150.49 will be closed due to error

subject alt dnsName: '*.xyzcorp.com'
4939.781583046:imtcp.c : subject alt dnsName: 'xyzcorp.com'
4939.781680923:imtcp.c : gtls now checking auth for CN '*.xyzcorp.com'
4939.781689957:imtcp.c : invalid peer name, not permitted to talk to it
4939.781708240:imtcp.c : Called LogMsg, msg: error: peer name not authorized - not permitted to talk to it. Names: DNSname: *.xyzcorp.com; DNSname: xyzcorp.com; CN: *.xyzcorp.com;
******************************************************************************************************************************************************************************
rsyslog.conf

# rsyslog configuration file

$DebugFile /var/log/rsys.log
$DebugLevel 2

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

### Legacy configuration
$ModLoad imtcp

$DefaultNetstreamDriver gtls

### Legacy Command to certs
$DefaultNetstreamDriverCAFile /etc/rsyslog.certs/godaddy.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.certs/xyz.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.certs/xyz.key
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 6514
$InputTCPServerStreamDriverPermittedPeer *.pphosted.com # Cloud provider
$InputTCPServerStreamDriverPermittedPeer 172.16.150.49 #Internal client IP



#action(type="omfile" file="var/log/Proofpoint.log")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
kornjack
New
 
Posts: 1
Joined: Sat Sep 02, 2017 2:47 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests

cron