[sudo-users] Certificate Verification Problem When connecting to sudo logsrvd
Alexander Reichle-Schmehl
alexander at alphamar.org
Wed Dec 27 06:22:42 MST 2023
Hi!
* Alexander Reichle-Schmehl via sudo-users <sudo-users at sudo.ws> [231227 13:16]:
> reichle at mqde01aixtest02:/home/reichle # sudo echo Test
> sudo: TLS connection to <mysyslogserver>:30344 failed: certificate verify failed
> sudo: TLS handshake was unsuccessful: Error 0
> sudo: unable to connect to log server sudo: error initializing I/O plugin sudoers_io
A small addition, as I just found out that sudo_sendlog gives a more
verbose error message:
root at mqde01aixtest01:/etc/ssl/sudo/certs # /usr/sbin/sudo_sendlog -A \
-b /etc/ssl/sudo/mq-sudo-cacert.pem -h <mysyslog> \
-c /etc/ssl/sudo/certs/sudo-log.crt \
-k /etc/ssl/sudo/private/sudo-log.key /tmp/SUDO_IO_LOG/00/00/01/
Connected to <logserver>:30344
sudo_sendlog: X509_verify_cert: /etc/ssl/sudo/certs/sudo-log.crt: CA cert does not include key usage extension
sudo_sendlog: unable to initialize TLS context
Which is true. Looking at the csr files I used for my tests, none has a
key usage extension (including the ones from the working Linux Servers).
And even adding them like this doesn't solve the issue:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
I still get the same error from sudo_sendlog.
Best regards,
Alexander
More information about the sudo-users
mailing list