Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected tls packet, unable to activate tls using gtls #5372

Open
Elekam opened this issue May 3, 2024 · 13 comments
Open

Unexpected tls packet, unable to activate tls using gtls #5372

Elekam opened this issue May 3, 2024 · 13 comments

Comments

@Elekam
Copy link

Elekam commented May 3, 2024 

          @sandeshChandra Did you ever end up solving this? I am experiencing the same problem.

Could someone take a look at what Im providing below and tell me if they see any obvious things? @rgerhards
We generate the certificates using an acme.sh script. The scripts are generated on the machine, without any knowledge of other machines/domain names. Could that also be a problem? Do the certificates on the clients have to be generated with a dependency on the server certificate?

The machines are on CentOS9 Stream.
Full config of server:

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
#global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

#### MODULES ####

module(load="imuxsock"
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"
       UsePid="system"
       FileCreateMode="0644"
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
#include(file="/etc/rsyslog.d/*.conf" mode="optional")

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/z_server.conf (put on stack)
global( DefaultNetstreamDriverCAFile="/etc/httpd/ssl/fullchain.cer"
        DefaultNetstreamDriverCertFile="/etc/httpd/ssl/<server_domain>.crt"
        DefaultNetstreamDriverKeyFile="/etc/httpd/ssl/<server_domain>.key"
        DefaultNetstreamDriver="gtls"
        net.ipprotocol="ipv4-only" workDirectory="/var/spool/rsyslog")
		
module( load="imtcp"
        MaxSessions="100"
        StreamDriver.Name="gtls"
        StreamDriver.Mode="1"
        StreamDriver.AuthMode="x509/certvalid")
        #PermittedPeer=["client1.domain.net"]
        #StreamDriver.CheckExtendedKeyPurpose="on"
        #gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3")

input(type="imtcp" port="6514")

$template RemoteLogs,"/var/spool/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& STOP

##### END   CONFIG: /etc/rsyslog.d/z_server.conf

Full config of client:

## full conf created by rsyslog version 8.2310.0-4.el9 at 2024-05-03 15:31:14 ##

##### BEGIN CONFIG: /etc/rsyslog.conf (put on stack)
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
#global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

#### MODULES ####

module(load="imuxsock"
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"
       UsePid="system"
       FileCreateMode="0644"
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/httpd.conf (put on stack)

##### BEGIN CONFIG: /etc/rsyslog.d/99-client.conf (put on stack)
global(DefaultNetstreamDriverCAFile="/etc/httpd/ssl/gd_bundle.crt"
       DefaultNetstreamDriverCertFile="/etc/httpd/ssl/<client_domain>.crt"
       DefaultNetstreamDriverKeyFile="/etc/httpd/ssl/<client_domain>.key"
       DefaultNetstreamDriver="gtls"
       net.ipprotocol="ipv4-only" workDirectory="/var/spool/rsyslog")

module(load="imklog")

*.* @@217.160.220.159:6514

action(type="omfwd"
                Protocol="tcp"
                Target="217.160.220.159"
                Port="6514"
                StreamDriver="gtls"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/certvalid"
                gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3"
                queue.filename="rsyslog_omfwd"
                queue.spoolDirectory="/var/spool/rsyslog"
                queue.maxdiskspace="1g"
                queue.saveonshutdown="on"
                queue.type="LinkedList"
                action.resumeRetryCount="-1")

module(load="imfile" PollingInterval="10") #needs to be done just once

##### END   CONFIG: /etc/rsyslog.d/99-client.conf
#Httpd log files
#This requires loading of module imfile
input(type="imfile"
      File="/var/log/httpd/error_log"
      Tag="httpd_error"
      Severity="error"
      Facility="local7")

input(type="imfile"
      File="/var/log/httpd/access_log"
      Tag="httpd_access"
      Severity="info"
      Facility="local7")

input(type="imfile"
      File="/var/log/httpd/ssl_access_log"
      Tag="httpd_ssl_access"
      Severity="info"
      Facility="local7")
	  
	  input(type="imfile"
      File="/var/log/httpd/ssl_error_log"
      Tag="httpd_ssl_error"
      Severity="error"
      Facility="local7")


##### END   CONFIG: /etc/rsyslog.d/httpd.conf


# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

##### END   CONFIG: /etc/rsyslog.conf

Server logs:

May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsysl
og.com/e/2083 ]
May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: GnuTLS handshake retry returned error: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: netstream session 0x7dd785f84080 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:28 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:29 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:29 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:29 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:29 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: gnutls returned error on handshake: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 [v8.2310.0-4.el9 try https://www.rsysl
og.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: GnuTLS handshake retry returned error: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:30 c9-ionos-rsyslog rsyslogd[6583]: netstream session 0x7dd787302440 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 15:42:31 c9-ionos-rsyslog rsyslogd[6583]: GnuTLS handshake retry returned error: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:31 c9-ionos-rsyslog rsyslogd[6583]: netstream session 0x7dd787303fc0 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 15:42:31 c9-ionos-rsyslog rsyslogd[6583]: GnuTLS handshake retry returned error: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:31 c9-ionos-rsyslog rsyslogd[6583]: netstream session 0x7dd787302bc0 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 15:42:32 c9-ionos-rsyslog rsyslogd[6583]: GnuTLS handshake retry returned error: An unexpected TLS packet was received.  [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2083 ]
May  3 15:42:32 c9-ionos-rsyslog rsyslogd[6583]: netstream session 0x7dd785f85480 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]

Client logs:

May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:07 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: omfwd: remote server at 217.160.220.159:6514 seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2027 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2007 ]
May  3 15:44:08 c9-ionos-zabbix rsyslogd[7631]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2359 ]

Originally posted by @Elekam in #3940 (comment)
@Elekam
Copy link
Author

Elekam commented May 3, 2024

Enviroment:
Rsyslog version: 8.2310.0-4
Platform: CentOS9 Stream

I am trying to enable gtls. @rgerhards, you mentioned switching to ossl. If possible, I would like to avoid that, because our security benchmarks want gtls. As a last resort, we could try switching to ossl.

You mentioned that this points to tls not being enabled on the client. Can you elaborate? The rsyslog-client.conf seems to set tls as wanted. Do you mean outside of the rsyslog conf?

Thanks in advance for any help :)

@rgerhards
Copy link
Member

I had expected that you follow the advise here, before blindly opening a new issue... pls do now.

#3940 (comment)

@rgerhards
Copy link
Member

can you do openssl for a test? again, gnutls is notoriously bad in reporting errors.

@Elekam
Copy link
Author

Elekam commented May 3, 2024

I noticed the two messages "Unknown ca" and "wrong version number". Maybe like I asked earlier a problem with the certificates?

Server log:

May  3 16:37:14 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A00010B:SSL routines::wrong version number [v8.2310.0-4.el9]
May  3 16:37:14 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:14 c9-ionos-rsyslog rsyslogd[8905]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -1 [v8.2310.0-4.el9]
May  3 16:37:15 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]
May  3 16:37:15 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A00010B:SSL routines::wrong version number [v8.2310.0-4.el9]
May  3 16:37:15 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:15 c9-ionos-rsyslog rsyslogd[8905]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -1 [v8.2310.0-4.el9]
May  3 16:37:16 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]
May  3 16:37:16 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A00010B:SSL routines::wrong version number [v8.2310.0-4.el9]
May  3 16:37:16 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:16 c9-ionos-rsyslog rsyslogd[8905]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -1 [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: netstream session 0x748335d67a80 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslEndSess': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_shutdown'  [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A000197:SSL routines::shutdown while in init [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl: TLS session terminated successfully to remote syslog server '212.227.234.221' with SSL Error '-1': End Session [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: netstream session 0x748335d69100 from 212.227.234.221 will be closed due to error [v8.2310.0-4.el9 try https://www.rsyslog.com/e/2089 ]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslEndSess': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_shutdown'  [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A000197:SSL routines::shutdown while in init [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl: TLS session terminated successfully to remote syslog server '212.227.234.221' with SSL Error '-1': End Session [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:OpenSSL Error Stack: error:0A00010B:SSL routines::wrong version number [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: nsd_ossl:TLS session terminated with remote client '212.227.234.221': Handshake failed with error code: 1 [v8.2310.0-4.el9]
May  3 16:37:19 c9-ionos-rsyslog rsyslogd[8905]: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -1 [v8.2310.0-4.el9]

Full config server:

## full conf created by rsyslog version 8.2310.0-4.el9 at 2024-05-03 16:41:34 ##

##### BEGIN CONFIG: /etc/rsyslog.conf (put on stack)
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
#global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

#### MODULES ####

module(load="imuxsock"
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"
       UsePid="system"
       FileCreateMode="0644"
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
#include(file="/etc/rsyslog.d/*.conf" mode="optional")

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/z_server.conf (put on stack)
global( DefaultNetstreamDriverCAFile="/etc/httpd/ssl/fullchain.cer"
        DefaultNetstreamDriverCertFile="/etc/httpd/ssl/<server-domain>.crt"
        DefaultNetstreamDriverKeyFile="/etc/httpd/ssl/<server-domain>.key"
        DefaultNetstreamDriver="gtls"
        net.ipprotocol="ipv4-only" workDirectory="/var/spool/rsyslog")

module( load="imtcp"
        MaxSessions="100"
        StreamDriver.Name="ossl"
        StreamDriver.Mode="1"
        StreamDriver.AuthMode="x509/name"
        PermittedPeer="zabbix.<domain>.net")
        #StreamDriver.CheckExtendedKeyPurpose="on"
        #gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3")

input(type="imtcp" port="6514")

$template RemoteLogs,"/var/spool/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& STOP

##### END   CONFIG: /etc/rsyslog.d/z_server.conf


##### END   CONFIG: /etc/rsyslog.conf

Full config client:

## full conf created by rsyslog version 8.2310.0-4.el9 at 2024-05-03 16:48:19 ##

##### BEGIN CONFIG: /etc/rsyslog.conf (put on stack)
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
#global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

#### MODULES ####

module(load="imuxsock"
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"
       UsePid="system"
       FileCreateMode="0644"
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/httpd.conf (put on stack)

##### BEGIN CONFIG: /etc/rsyslog.d/99-client.conf (put on stack)
global(DefaultNetstreamDriverCAFile="/etc/httpd/ssl/gd_bundle.crt"
       DefaultNetstreamDriverCertFile="/etc/httpd/ssl/client-domain.crt"
       DefaultNetstreamDriverKeyFile="/etc/httpd/ssl/client-domain.key"
       DefaultNetstreamDriver="gtls"
       net.ipprotocol="ipv4-only" workDirectory="/var/spool/rsyslog")

module(load="imklog")

*.* @@217.160.220.159:6514

action(type="omfwd"
                Protocol="tcp"
                Target="217.160.220.159"
                Port="6514"
                StreamDriver="ossl"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/name"
                StreamDriverPermittedPeers="c9-ionos-rsyslog.<domain>.net"


                queue.filename="rsyslog_omfwd"
                queue.spoolDirectory="/var/spool/rsyslog"
                queue.maxdiskspace="1g"
                queue.saveonshutdown="on"
                queue.type="LinkedList"
                action.resumeRetryCount="-1")

module(load="imfile" PollingInterval="10") #needs to be done just once

##### END   CONFIG: /etc/rsyslog.d/99-client.conf
#Httpd log files
#This requires loading of module imfile
input(type="imfile"
      File="/var/log/httpd/error_log"
      Tag="httpd_error"
      Severity="error"
      Facility="local7")

input(type="imfile"
      File="/var/log/httpd/access_log"
      Tag="httpd_access"
      Severity="info"
      Facility="local7")

input(type="imfile"
      File="/var/log/httpd/ssl_access_log"
      Tag="httpd_ssl_access"
      Severity="info"
      Facility="local7")
input(type="imfile"
      File="/var/log/httpd/ssl_error_log"
      Tag="httpd_ssl_error"
      Severity="error"
      Facility="local7")


##### END   CONFIG: /etc/rsyslog.d/httpd.conf


# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

##### END   CONFIG: /etc/rsyslog.conf

@rgerhards
Copy link
Member

Please create a debug log. Instructions: https://www.rsyslog.com/doc/v8-stable/troubleshooting/howtodebug.html

Be sure that the problem in question occurs at least once during the debug run. Once this is done, please post the debug log (e.g. via pastebin or github). After that, we can review the contents and check how exactly rsyslog processing worked.

This is probably a problem that @alorbach should look at.

@Elekam
Copy link
Author

Elekam commented May 3, 2024

Here is the debug log. The problem happens at line 32110 for example.
rsyslog.log

@rgerhards
Copy link
Member

Thx, pls keep the log online for @alorbach , but I think this is the relevant part:

8253.888668288:imtcp.c        : nsd_ossl.c: osslLastSSLErrorMsg: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'
8253.888685148:imtcp.c        : errmsg.c: Called LogMsg, msg: SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'

8253.888696770:imtcp.c        : operatingstate.c: osf: MSG SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'
: signaling new internal message via SIGTTOU: 'SSL_ERROR_SSL Error in 'osslHandshakeCheck Server': 'error:00000001:lib(0)::reason(1)(1)' with ret=-1, errno=0, sslapi='SSL_accept'  [v8.2310.0-4.el9]'
8253.888763910:main thread    : janitor.c: janitorRun() called
  
8253.888811333:main Q:Reg/w0  : rainerscript.c: pmask:  X  X  X  X  X  X  X  X  X FF  X  X  X 
8253.890414743:imtcp.c        : errmsg.c: Called LogMsg, msg: nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca
8253.890432628:imtcp.c        : operatingstate.c: osf: MSG nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca: signaling new internal message via SIGTTOU: 'nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2310.0-4.el9]'
8253.890483162:main thread    : janitor.c: janitorRun() called

boils down to "unkonwn CA"

@rgerhards
Copy link
Member

I just noticed this (sry, pretty late). You wrote:

Do the certificates on the clients have to be generated with a dependency on the server certificate?

Yes, to check the cert validity, all machines need to have the same CA (or set of interim certs, to be more precise).

@Elekam
Copy link
Author

Elekam commented May 6, 2024

This is weird. While recreating the certs, I noticed that the rsyslog server is logging the same "Handshake failed" messages even when the rsyslog client is marked as inactive/failed. What is sending the server a signal then? Maybe something else is sending packets to the rsyslog port for some reason? Im looking into it.

@rgerhards
Copy link
Member

Some other sender might be a good explanation ;-)

@Elekam
Copy link
Author

Elekam commented May 6, 2024
edited

After some more testing, I executed this command
openssl s_client -showcerts -servername c9-ionos-rsyslog -connect rsyslog_server.domain.net:6514
on the rsyslog client and got the following:

---
Server certificate
subject=CN=c9-ionos-rsyslog.domain.net
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4463 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
004E5693AB770000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:ssl/record/rec_layer_s3.c:865:SSL alert number 116

TLS1.2 and lower is disabled on the machine our rsyslog server runs on. I know about the gnutlsprioritystring, is there a similar option for the ossl library? How can I force both client and server to use TLS1.3?

This is what I had in my config as an option to the imctp listener, does this also work when using ossl?
gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3"

@alorbach
Copy link
Member

alorbach commented May 6, 2024
edited

This looks like server and client are not finding a shared cipher.

This is what I had in my config as an option to the imctp listener, does this also work when using ossl? gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3"

Indead there is, you can actually use "gnutlsprioritystring" to set OpenSSL properties, for example this should work for you:
gnutlsPriorityString="MinProtocol=TLSv1.3"

More details in the doc or see ossl testcases in "tests" folder:
https://www.rsyslog.com/doc/configuration/modules/imtcp.html#example-1
https://www.rsyslog.com/doc/configuration/modules/omfwd.html#example-1

glbl.c: This is rsyslog version 8.2310.0-4.el9
I newer Version of rsyslog could also help for further troubleshooting.

@Elekam
Copy link
Author

Elekam commented May 6, 2024

Im honestly lost. I am not sure whether I have an issue with my certificates, rsyslog, or both. I would greatly appreciate if any of you could take a look at this.

Here are the facts:
The configuration for the cert files looks like this on both sides:

global( DefaultNetstreamDriverCAFile="/etc/httpd/ssl/gd_bundle.crt"
        DefaultNetstreamDriverCertFile="/etc/httpd/ssl/teamdrive.net.crt"
        DefaultNetstreamDriverKeyFile="/etc/httpd/ssl/teamdrive.net.key"
        DefaultNetstreamDriver="ossl"
        net.ipprotocol="ipv4-only" workDirectory="/var/spool/rsyslog")

I also added gnutlsPriorityString="MinProtocol=TLSv1.3 to both client and server.

I have four certificate files per domain, aka client and server. gd_bundle.crt, ca.cer, domain.cer and domain.key.
ca.cer is identical on both client and server. It contains two certificates.
gd_bundle.crt contains the fullchain, aka the domain cert, and then the two certs inside ca.cer.
If I put ca.cer in the config of both sides instead of the gd_bundle.crt, rsyslog throws "handshake failed" paired with the error: nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2310.0-4.el9]
If I put gd_bundle.crt as the cafile, rsyslog throws handshake failed, paired with nsd_ossl:OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2310.0-4.el9]
Ive also been seeing nsd_ossl:OpenSSL Error Stack: error:0A000197:SSL routines::shutdown while in init [v8.2310.0-4.el9] frequently, no matter what config. I am not sure whether this means anything substantial.
The same with nsd_ossl:OpenSSL Error Stack: error:0A00010B:SSL routines::wrong version number [v8.2310.0-4.el9]. This always appears right after I restarted both client and server, but seems to then stop or be drowned out by the "unknown ca" errors.

This is the output when both sides have gd_bundle.crt as their CAfile:
rsyslog-gd_bundle.log

openssl s_client -connect c9-ionos-rsyslog.teamdrive.net:6514 -servername c9-ionos.rsyslog.teamdrive.net -tls1_3 executed on rsyslog client:

CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
verify return:1
depth=1 C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
verify return:1
depth=0 CN=c9-ionos-rsyslog.teamdrive.net
verify return:1
---
Certificate chain
 0 s:CN=c9-ionos-rsyslog.teamdrive.net
   i:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May  6 00:00:00 2024 GMT; NotAfter: Aug  4 23:59:59 2024 GMT
 1 s:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHzCCA6WgAwIBAgIRAOZDwxAtFcTmhm69UxCPXbAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDA1MDYwMDAwMDBaFw0yNDA4
MDQyMzU5NTlaMCkxJzAlBgNVBAMTHmM5LWlvbm9zLXJzeXNsb2cudGVhbWRyaXZl
Lm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFTx9Yeuk3UIT4dKi+WTkFu+
xcwyqWUCVCEmMd6/GqgXTDuNzh3PuLnL/ZyXv1zyahotOBwo2Wyuej0gGfUAwmmj
ggKKMIIChjAfBgNVHSMEGDAWgBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4E
FgQUQBuXAOEisUdovFPDuVoDscdoYXkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0
dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2Vj
dXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5z
ZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJh
zPWHujS0pM27KdxoQgqf5mdMWjp0AAABj028tFoAAAQDAEcwRQIgAxkyYmLpnhqH
43mHJ47r8T/SsmOMJtXKjQzI+EQJ0SYCIQDWShrHZFfI4dFcHGI4bEriGD3kjE0I
pHolYvefXKayfwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAAB
j028s/AAAAQDAEcwRQIhAIqOEMjR5rD7swlXicXVsGW4Oxh5qEm/cIAVlLgPKj5/
AiADlUUIw/teiAJC9p4nFJOSF5bcvg9YRi8xTuwvKw+jcjApBgNVHREEIjAggh5j
OS1pb25vcy1yc3lzbG9nLnRlYW1kcml2ZS5uZXQwCgYIKoZIzj0EAwMDaAAwZQIw
CSa4XXdxraXKeR+T4V/cosV1ePTBz3Gs9w3/fPUsvZuUztIK0cI0knQrI/jg9eHr
AjEA8x42kIxL50IjVt+LBjR1yKDriAzpyQ+gPG8tlSKpJPRlYhqeKZRdp/W8WXF8
dV6a
-----END CERTIFICATE-----
subject=CN=c9-ionos-rsyslog.teamdrive.net
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3401 bytes and written 381 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
002EE57E4F700000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:ssl/record/rec_layer_s3.c:865:SSL alert number 116

This is the output of openssl s_client -showcerts -servername c9-ionos-rsyslog -connect c9-ionos-rsyslog.teamdrive.net:6514 -tls1_3 -cert teamdrive.net.crt -CAfile ca.cer -cert_chain gd_bundle.crt -key teamdrive.net.key executed on the rsyslog client with the same config:

CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
verify error:num=2:unable to get issuer certificate
issuer= C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1
depth=1 C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
issuer= C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
verify return:1
depth=0 CN=c9-ionos-rsyslog.teamdrive.net
issuer= C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
verify return:1
---
Certificate chain
 0 s:CN=c9-ionos-rsyslog.teamdrive.net
   i:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May  6 00:00:00 2024 GMT; NotAfter: Aug  4 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEHzCCA6WgAwIBAgIRAOZDwxAtFcTmhm69UxCPXbAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDA1MDYwMDAwMDBaFw0yNDA4
MDQyMzU5NTlaMCkxJzAlBgNVBAMTHmM5LWlvbm9zLXJzeXNsb2cudGVhbWRyaXZl
Lm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFTx9Yeuk3UIT4dKi+WTkFu+
xcwyqWUCVCEmMd6/GqgXTDuNzh3PuLnL/ZyXv1zyahotOBwo2Wyuej0gGfUAwmmj
ggKKMIIChjAfBgNVHSMEGDAWgBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4E
FgQUQBuXAOEisUdovFPDuVoDscdoYXkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0
dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2Vj
dXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5z
ZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJh
zPWHujS0pM27KdxoQgqf5mdMWjp0AAABj028tFoAAAQDAEcwRQIgAxkyYmLpnhqH
43mHJ47r8T/SsmOMJtXKjQzI+EQJ0SYCIQDWShrHZFfI4dFcHGI4bEriGD3kjE0I
pHolYvefXKayfwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAAB
j028s/AAAAQDAEcwRQIhAIqOEMjR5rD7swlXicXVsGW4Oxh5qEm/cIAVlLgPKj5/
AiADlUUIw/teiAJC9p4nFJOSF5bcvg9YRi8xTuwvKw+jcjApBgNVHREEIjAggh5j
OS1pb25vcy1yc3lzbG9nLnRlYW1kcml2ZS5uZXQwCgYIKoZIzj0EAwMDaAAwZQIw
CSa4XXdxraXKeR+T4V/cosV1ePTBz3Gs9w3/fPUsvZuUztIK0cI0knQrI/jg9eHr
AjEA8x42kIxL50IjVt+LBjR1yKDriAzpyQ+gPG8tlSKpJPRlYhqeKZRdp/W8WXF8
dV6a
-----END CERTIFICATE-----
 1 s:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIDhTCCAwygAwIBAgIQI7dt48G7KxpRlh4I6rdk6DAKBggqhkjOPQQDAzCBiDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAwMTMw
MDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UEChMH
WmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBFQ0MgRG9tYWluIFNlY3VyZSBTaXRl
IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENkFhFytTJe2qypTk1tpIV+9QuoRk
gte7BRvWHwYk9qUznYzn8QtVaGOCMBBfjWXsqqivl8q1hs4wAYl03uNOXgFu7iZ7
zFP6I6T3RB0+TR5fZqathfby47yOCZiAJI4go4IBdTCCAXEwHwYDVR0jBBgwFoAU
OuEJhtTPGcKWdnRJdtzgNcZjY5owHQYDVR0OBBYEFA9r5kvOOUeu9n6QHnnwMJGS
yF+jMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAiBgNVHSAEGzAZMA0GCysGAQQBsjEBAgJO
MAgGBmeBDAECATBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVz
dC5jb20vVVNFUlRydXN0RUNDQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYI
KwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5j
b20vVVNFUlRydXN0RUNDQWRkVHJ1c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wCgYIKoZIzj0EAwMDZwAwZAIwJHBUDwHJQN3I
VNltVMrICMqYQ3TYP/TXqV9t8mG5cAomG2MwqIsxnL937Gewf6WIAjAlrauksO6N
UuDdDXyd330druJcZJx0+H5j5cFOYBaGsKdeGW7sCMaR2PsDFKGllas=
-----END CERTIFICATE-----
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=c9-ionos-rsyslog.teamdrive.net
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3403 bytes and written 2573 bytes
Verification error: unable to get issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 2 (unable to get issuer certificate)
---
008E759424730000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:865:SSL alert number 48

Now, when I change the ca-file setting for rsyslog server and client to the ca.cer, following output is produced:
rsyslog_ca_cer.log

openssl s_client -connect c9-ionos-rsyslog.teamdrive.net:6514 -servername c9-ionos.rsyslog.teamdrive.net -tls1_3 :

CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
verify return:1
depth=1 C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
verify return:1
depth=0 CN=c9-ionos-rsyslog.teamdrive.net
verify return:1
---
Certificate chain
 0 s:CN=c9-ionos-rsyslog.teamdrive.net
   i:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May  6 00:00:00 2024 GMT; NotAfter: Aug  4 23:59:59 2024 GMT
 1 s:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHzCCA6WgAwIBAgIRAOZDwxAtFcTmhm69UxCPXbAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDA1MDYwMDAwMDBaFw0yNDA4
MDQyMzU5NTlaMCkxJzAlBgNVBAMTHmM5LWlvbm9zLXJzeXNsb2cudGVhbWRyaXZl
Lm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFTx9Yeuk3UIT4dKi+WTkFu+
xcwyqWUCVCEmMd6/GqgXTDuNzh3PuLnL/ZyXv1zyahotOBwo2Wyuej0gGfUAwmmj
ggKKMIIChjAfBgNVHSMEGDAWgBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4E
FgQUQBuXAOEisUdovFPDuVoDscdoYXkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0
dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2Vj
dXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5z
ZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJh
zPWHujS0pM27KdxoQgqf5mdMWjp0AAABj028tFoAAAQDAEcwRQIgAxkyYmLpnhqH
43mHJ47r8T/SsmOMJtXKjQzI+EQJ0SYCIQDWShrHZFfI4dFcHGI4bEriGD3kjE0I
pHolYvefXKayfwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAAB
j028s/AAAAQDAEcwRQIhAIqOEMjR5rD7swlXicXVsGW4Oxh5qEm/cIAVlLgPKj5/
AiADlUUIw/teiAJC9p4nFJOSF5bcvg9YRi8xTuwvKw+jcjApBgNVHREEIjAggh5j
OS1pb25vcy1yc3lzbG9nLnRlYW1kcml2ZS5uZXQwCgYIKoZIzj0EAwMDaAAwZQIw
CSa4XXdxraXKeR+T4V/cosV1ePTBz3Gs9w3/fPUsvZuUztIK0cI0knQrI/jg9eHr
AjEA8x42kIxL50IjVt+LBjR1yKDriAzpyQ+gPG8tlSKpJPRlYhqeKZRdp/W8WXF8
dV6a
-----END CERTIFICATE-----
subject=CN=c9-ionos-rsyslog.teamdrive.net
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3402 bytes and written 381 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
003EB110887A0000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:ssl/record/rec_layer_s3.c:865:SSL alert number 116

openssl s_client -showcerts -servername c9-ionos-rsyslog -connect c9-ionos-rsyslog.teamdrive.net:6514 -tls1_3 -cert teamdrive.net.crt -CAfile ca.cer -cert_chain gd_bundle.crt -key teamdrive.net.key:

CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
verify return:1
depth=1 C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
verify return:1
depth=0 CN=c9-ionos-rsyslog.teamdrive.net
verify return:1
---
Certificate chain
 0 s:CN=c9-ionos-rsyslog.teamdrive.net
   i:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May  6 00:00:00 2024 GMT; NotAfter: Aug  4 23:59:59 2024 GMT
 1 s:C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHzCCA6WgAwIBAgIRAOZDwxAtFcTmhm69UxCPXbAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDA1MDYwMDAwMDBaFw0yNDA4
MDQyMzU5NTlaMCkxJzAlBgNVBAMTHmM5LWlvbm9zLXJzeXNsb2cudGVhbWRyaXZl
Lm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFTx9Yeuk3UIT4dKi+WTkFu+
xcwyqWUCVCEmMd6/GqgXTDuNzh3PuLnL/ZyXv1zyahotOBwo2Wyuej0gGfUAwmmj
ggKKMIIChjAfBgNVHSMEGDAWgBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4E
FgQUQBuXAOEisUdovFPDuVoDscdoYXkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0
dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2Vj
dXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5z
ZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJh
zPWHujS0pM27KdxoQgqf5mdMWjp0AAABj028tFoAAAQDAEcwRQIgAxkyYmLpnhqH
43mHJ47r8T/SsmOMJtXKjQzI+EQJ0SYCIQDWShrHZFfI4dFcHGI4bEriGD3kjE0I
pHolYvefXKayfwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAAB
j028s/AAAAQDAEcwRQIhAIqOEMjR5rD7swlXicXVsGW4Oxh5qEm/cIAVlLgPKj5/
AiADlUUIw/teiAJC9p4nFJOSF5bcvg9YRi8xTuwvKw+jcjApBgNVHREEIjAggh5j
OS1pb25vcy1yc3lzbG9nLnRlYW1kcml2ZS5uZXQwCgYIKoZIzj0EAwMDaAAwZQIw
CSa4XXdxraXKeR+T4V/cosV1ePTBz3Gs9w3/fPUsvZuUztIK0cI0knQrI/jg9eHr
AjEA8x42kIxL50IjVt+LBjR1yKDriAzpyQ+gPG8tlSKpJPRlYhqeKZRdp/W8WXF8
dV6a
-----END CERTIFICATE-----
subject=CN=c9-ionos-rsyslog.teamdrive.net
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3402 bytes and written 381 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
003EB110887A0000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:ssl/record/rec_layer_s3.c:865:SSL alert number 116

It seems to me like gd_bundle.crt is the better choice, even though it confuses me why a fullchain for the CA-file option seems to work better than the ca file? And then is the question, why is it unable to get the issuer certificate. I googled a lot and found some questions to that, but nothing seemed quite right/like it would help me.

I did not update to a newer rsyslog version before these outputs. I will do so now and see if it changes anything.

I would be really grateful if you can help me with this. If you need any further info, let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgerhards @alorbach @Elekam