[sudo-users] Certificate Verification Problem When connecting to sudo logsrvd

Alexander Reichle-Schmehl alexander at alphamar.org
Wed Dec 27 06:22:42 MST 2023


* Alexander Reichle-Schmehl via sudo-users <sudo-users at sudo.ws> [231227 13:16]:

> reichle at mqde01aixtest02:/home/reichle # sudo echo Test
> sudo: TLS connection to <mysyslogserver>:30344 failed: certificate verify failed
> sudo: TLS handshake was unsuccessful: Error 0
> sudo: unable to connect to log server sudo: error initializing I/O plugin sudoers_io

A small addition, as I just found out that sudo_sendlog gives a more
verbose error message:
root at mqde01aixtest01:/etc/ssl/sudo/certs # /usr/sbin/sudo_sendlog -A \
    -b /etc/ssl/sudo/mq-sudo-cacert.pem -h <mysyslog> \
    -c /etc/ssl/sudo/certs/sudo-log.crt \
    -k /etc/ssl/sudo/private/sudo-log.key /tmp/SUDO_IO_LOG/00/00/01/
Connected to <logserver>:30344
sudo_sendlog: X509_verify_cert: /etc/ssl/sudo/certs/sudo-log.crt: CA cert does not include key usage extension
sudo_sendlog: unable to initialize TLS context

Which is true.  Looking at the csr files I used for my tests, none has a
key usage extension (including the ones from the working Linux Servers).
And even adding them like this doesn't solve the issue:
       Requested Extensions:
             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage: critical
                 TLS Web Client Authentication

I still get the same error from sudo_sendlog.

Best regards,

More information about the sudo-users mailing list