I got this:

2018-12-06T15:38:59.909637+01:00 s3005 rsyslogd: imrelp[2514]: authentication error 'peer did not provide a certificate', peer is '' [v8.39.0 try http://www.rsyslog.com/e/2353 ]
2018-12-06T15:38:59.909646+01:00 s3005 rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -43: Error in the certificate.]', object  'lstn 2514: conn to clt ::1/localhost' - input may not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ]

Best wishes,
Sophie

From: Flo Rance [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 06, 2018 4:03 PM
To: LOEWENTHAL Sophie
Cc: rsyslog-users
Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates

Oh, and you didn't provide any "tls.permittedpeer=["..."]" so the next error that you should see on the server side is something like:

rsyslogd: imrelp[2514]: authentication error 'non-permited fingerprint', peer is '�� r� '
rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -43: Error in the certificate.]', object  'lstn 2514: conn to clt ....

Regards,
Flo

On Thu, Dec 6, 2018 at 3:47 PM [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Little more info whilst I was looking:
The rsyslog.conf configuration,

The CLIENT has
action(
type="omrelp"
target="a-be-s3005-msl"
port="2514"
tls="on"
tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt"
tls.myCert="/etc/rsyslog.d/ssl/client.crt"
tls.myPrivKey="/etc/rsyslog.d/ssl/client.key"

The SERVER has
input(
type="imrelp"
port="2514"
maxDataSize="8k"
tls="on"
tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt"
tls.myCert="/etc/rsyslog.d/ssl/server.crt"
tls.myPrivKey="/etc/rsyslog.d/ssl/server.key"
)
CLIENT connects to server and gets this,
# openssl s_client -connect be-s3005-msl:2514 -CAfile company-ca.crt -cert client.crt -key client.key
CONNECTED(00000003)
140081314850704:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1544107265
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential.
If you receive this message in error,or are not the intended recipient(s),
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose,
dissemination or disclosure, either whole or partial, is prohibited. Since the internet
cannot guarantee the integrity of this message which may not be reliable, BNP PARIBAS
(and its subsidiaries) shall not be liable for the message if modified, changed or falsified.
Do not print this message unless it is necessary, consider the environment.

----------------------------------------------------------------------------------------------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le "message")
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
publication, totale ou partielle, est interdite. L'Internet ne permettant pas d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans l'hypothese
ou il aurait ete modifie, deforme ou falsifie.
N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.