[sudo-users] Certificate Verification Problem When connecting to sudo logsrvd
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jan 5 10:22:19 MST 2024
On Wed, 27 Dec 2023 14:22:42 +0100, Alexander Reichle-Schmehl via sudo-users wr
ote:
> A small addition, as I just found out that sudo_sendlog gives a more
> verbose error message:
> root at mqde01aixtest01:/etc/ssl/sudo/certs # /usr/sbin/sudo_sendlog -A \
> -b /etc/ssl/sudo/mq-sudo-cacert.pem -h <mysyslog> \
> -c /etc/ssl/sudo/certs/sudo-log.crt \
> -k /etc/ssl/sudo/private/sudo-log.key /tmp/SUDO_IO_LOG/00/00/01/
> Connected to <logserver>:30344
> sudo_sendlog: X509_verify_cert: /etc/ssl/sudo/certs/sudo-log.crt: CA cert doe
> s not include key usage extension
> sudo_sendlog: unable to initialize TLS context
>
> Which is true. Looking at the csr files I used for my tests, none has a
> key usage extension (including the ones from the working Linux Servers).
> And even adding them like this doesn't solve the issue:
> Requested Extensions:
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment
> X509v3 Extended Key Usage: critical
> TLS Web Client Authentication
>
> I still get the same error from sudo_sendlog.
The CA cert needs to have the keyCertSign extension (the cRLSign
extension is also a good idea).
If you run:
openssl x509 -in /etc/ssl/sudo/mq-sudo-cacert.pem -text -noout
Does the output include an X509v3 extensions section similar to:
X509v3 extensions:
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
...
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
- todd
More information about the sudo-users
mailing list