Require certificate, not CA for syslog TLS configuration
Description
Problem/Justification
Main benefit is to use the TrueNAS Connect cert for syslog configuration
Also to remove unnecessary restrictions
Impact
None
Activity
Show:
Andrew Walker February 22, 2025 at 1:13 AMEdited
NOTE: We should not be collecting people’s syslog in current TrueNAS and storing on iX servers. It can contain very sensitive information including sudo audit details. This should not be put into product without careful consideration. IIRC this design was already NAKed by engineering.
Bug Clerk February 21, 2025 at 9:05 PM
This issue has now been closed. Comments made after this point may not be viewed by the TrueNAS Teams. Please open a new issue if you have found a problem or need to re-engage with the TrueNAS Engineering Teams.
Andrew Walker February 21, 2025 at 9:05 PM
Mark Grimes already has a ticket to rework this.
Duplicate
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Triage Team
Triage TeamReporter
Zack
ZackLabels
Effort to Implement (if applicable)
Low
Components
Fix versions
Affects versions
Priority
More fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Created February 21, 2025 at 4:49 PM
Updated February 22, 2025 at 1:14 AM
Resolved February 21, 2025 at 9:05 PM
The syslog API does not make sense when using a certificate created from a root CA, in this case Let’sEncrypt. Practically a CA should not be required if it’s in the trusted store, and mako conf symlinks the CA to the root dir, which shouldn’t be necessary if it’s already there.
To get a TNC certificarte to work, I have to create a bogus, self-signed CA unrelated to the cert and have MW symlink it for no reason.