Foritgate Syslog to Ubuntu gives "Decode error" and "No supported cipher suites have been found"

solo1 · ‎12-16-2024

I am trying to send Traffic Syslog encrypted from Fortigate firewall to Rsyslog on Ubuntu server.
I have managed to do this for other Clients, however one of my latest Client gets an error saying
"Decode error" in traffic dump and "No supported cipher suites have been found" in Rsyslog logs.

The certificate is uploaded to the Fortigate firewall at System > Certificates > CA Certificate (rootCA_ip.pem+key.pem).

Tcdump Decode Error from Ubuntu Server:

RSYSLOG error logs on Ubuntu Server:


rsyslogd: tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083 
gnutls returned error on handshake: No supported cipher suites have been found.
tcpsrv listener (inputname: 'imtcp') failed to process incoming connection with error -2083

Generate Certificates:

The Ubuntu server is hosted at Google Cloud and it generates root certificates during creation with a Startup Script:

# -------- VARIABLES --------------------------------------------------------------------------
echo "--- VARIABLES ---"

CUSTOMER_NAME="Development" # CHANGE ME

# -------- GENERATE ROOT CERTIFICATE ------------------------------------------------------------
echo "--- GENERATE ROOT CERTIFICATE ---"

mkdir /opt/certs
cd /opt/certs
my_ip=`curl -s ifconfig.me`

# Generate password
rm -f /opt/certs/password.txt
certificate_password=`pwgen 14 1`
echo "$certificate_password" | tee -a /opt/certs/password.txt

# Generate Certificate :: rootCA
touch /opt/certs/rootCA_openssl.cnf

# Generate Certificate :: rootCA :: Contents
root_ca_contents="[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
countryName = NO
stateOrProvinceName = Oslo
organizationName = $CUSTOMER_NAME
commonName = $CUSTOMER_NAME Root CA $my_ip

[ v3_req ]
basicConstraints = CA:true
keyUsage = critical, keyCertSign"

# Generate Certificate :: rootCA :: Put service to file
echo "$root_ca_contents" | tee -a /opt/certs/rootCA_openssl.cnf


# -------- GENERATE SERVER CERTIFICATE ------------------------------------------------------------
echo "--- GENERATE SERVER CERTIFICATE ---"


# Generate Certificate :: Server
touch /opt/certs/server_openssl.cnf

# Generate Certificate :: Server :: Contents
server_contents="[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
countryName = NO
stateOrProvinceName = Oslo
localityName = Oslo
organizationName = $CUSTOMER_NAME
commonName = $my_ip

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @AlT_names

[ alt_names ]
IP.1 = $my_ip"

# Generate Certificate :: Server :: Put service to file
echo "$server_contents" | tee -a /opt/certs/server_openssl.cnf

# -------- GENERATE CERTIFICATE SCRIPT ---------------------------------------------------
echo "--- GENERATE CERTIFICATE SCRIPT ---"


# Generate Certificate Script
touch /opt/certs/generate_certificates.sh
certificate_script="#!/bin/bash

# Variables
echo \"VARIABLES\"
my_ip=\$(curl -s ifconfig.me)
certificate_password=\$(cat /opt/certs/password.txt)
date_ymd=\$(date +\"%Y-%m-%d\")
customer_abbreviation=$CUSTOMER_ABBREVIATION
hostname=\$(hostname)
os_id=\$(lsb_release -is)
os_version=\$(lsb_release -sr)


# CD
cd /opt/certs

# Root CA
echo \"ROOT CA\"

# Root CA :: generating a new RSA private key
openssl genrsa -aes256 -out rootCA_\$my_ip.key --passout pass:\$certificate_password 2048

# Root CA :: Certificate Signing Request (CSR)
openssl req -new -key rootCA_\$my_ip.key -out rootCA_\$my_ip.csr -config rootCA_openssl.cnf --passin pass:\$certificate_password

# Root CA :: Create a self-signed X.509 certificate from a Certificate Signing Request (CSR)
openssl x509 -req -in rootCA_\$my_ip.csr -sha512 -signkey rootCA_\$my_ip.key -out rootCA_\$my_ip.pem -days 364 -extensions v3_req -extfile rootCA_openssl.cnf --passin pass:\$certificate_password

# Root CA :: Remove the passphrase from an RSA private key
openssl rsa -in rootCA_\$my_ip.key -out rootCA_\$my_ip.nopass.key --passin pass:\$certificate_password

# Root CA :: Convert the PEM files to CRT
openssl x509 -in rootCA_\$my_ip.pem -out rootCA_\$my_ip.crt

# Root CA :: Combine the no-password private key and the certificate into one file
cat rootCA_\$my_ip.nopass.key rootCA_\$my_ip.pem > rootCA_\$my_ip.nopass.pem+key.pem

# Root CA :: Combine the password private key and the certificate into one file
cat rootCA_\$my_ip.key rootCA_\$my_ip.pem > rootCA_\$my_ip.pem+key.pem

# Server CA
echo \"SERVER CA\"
openssl genrsa -aes256 -out server_\$my_ip.key --passout pass:\$certificate_password 2048
openssl req -new -key server_\$my_ip.key -out server_\$my_ip.csr -config server_openssl.cnf --passin pass:\$certificate_password
openssl x509 -req -in server_\$my_ip.csr -sha256 -CA rootCA_\$my_ip.pem -CAkey rootCA_\$my_ip.key -out server_\$my_ip.pem -days 364 -extensions v3_req -extfile server_openssl.cnf --passin pass:\$certificate_password

openssl rsa -in server_\$my_ip.key -out server_\$my_ip.nopass.key --passin pass:\$certificate_password

# Convert the PEM files to CRT
openssl x509 -in server_\$my_ip.pem -out server_\$my_ip.crt

# Verify
echo \"VERIFY\"
openssl verify -verbose -CAfile rootCA_\$my_ip.pem server_\$my_ip.pem


# Copy certificates to /etc/ssl/certs/ so we can use them with rsyslog
cp rootCA_\$my_ip.nopass.pem+key.pem /etc/ssl/certs/rootCA_\$my_ip.nopass.pem+key.pem
cp rootCA_\$my_ip.crt /etc/ssl/certs/rootCA_\$my_ip.crt

cp server_\$my_ip.nopass.key /etc/ssl/certs/server_\$my_ip.nopass.key
cp server_\$my_ip.pem /etc/ssl/certs/server_\$my_ip.pem
cp server_\$my_ip.crt /etc/ssl/certs/server_\$my_ip.crt

chmod 644 rootCA_\$my_ip.nopass.pem+key.pem /etc/ssl/certs/rootCA_\$my_ip.nopass.pem+key.pem
chmod 644 rootCA_\$my_ip.crt /etc/ssl/certs/rootCA_\$my_ip.crt

chmod 644 server_\$my_ip.nopass.key /etc/ssl/certs/server_\$my_ip.nopass.key
chmod 644 server_\$my_ip.pem /etc/ssl/certs/server_\$my_ip.pem
chmod 644 server_\$my_ip.crt /etc/ssl/certs/server_\$my_ip.crt


# Zip
echo \"ZIP\"
rm -f /opt/certs/cert.zip
cd /opt/certs
zip \"/opt/certs/cert.zip\" password.txt rootCA_* server_*

# Update Certificate store
sudo update-ca-certificates

"
echo "$certificate_script" | tee -a /opt/certs/generate_certificates.sh
chmod +x /opt/certs/generate_certificates.sh
/opt/certs/generate_certificates.sh

The firewall config looks like this:


config log syslogd3 setting
set status enable
set server "35.2.3.4"
set mode reliable
set port 6514
set enc-algorithm high
end

My Rsyslog config is created at the startup of the Ubuntu server and it looks like this:

# -------- RSYSLOG INSTALL START :: FIREWALL 3 (FORTIGATE FIREWALL) ------------------------------------------
echo "--- RSYSLOG INSTALL START :: FIREWALL 3 (FORTIGATE FIREWALL) ---"
# Rsyslog :: Truncate Rsyslog
sudo truncate -s 0 /etc/rsyslog.conf

# Rsyslog :: Config contents
config_content="# /etc/rsyslog.conf

global(
DefaultNetstreamDriver=\"gtls\"
DefaultNetstreamDriverCAFile=\"/etc/ssl/certs/rootCA_$my_ip.nopass.pem+key.pem\"
DefaultNetstreamDriverCertFile=\"/etc/ssl/certs/server_$my_ip.pem\"
DefaultNetstreamDriverKeyFile=\"/etc/ssl/certs/server_$my_ip.nopass.key\"
)

module(load=\"imtcp\" StreamDriver.Name=\"gtls\" StreamDriver.Mode=\"1\" StreamDriver.Authmode=\"anon\")

# Define a ruleset for the LimaCharlie Adapter
ruleset(name=\"limaCharlieRuleset\") {
*.* action(
type=\"omfwd\"
Target=\"127.0.0.1\"
Port=\"514\"
Protocol=\"tcp\"
)
}

# Use the defined ruleset for logs received on port 6514
input(type=\"imtcp\" port=\"6514\" ruleset=\"limaCharlieRuleset\")

#################
#### MODULES ####
#################

module(load=\"imuxsock\") # provides support for local system logging
#module(load=\"immark\") # provides --MARK-- message capability

# provides kernel logging support and enable non-kernel klog messages
module(load=\"imklog\" permitnonkernelfacility=\"on\")

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Filter duplicated messages
\$RepeatedMsgReduction on

# Set the default permissions for all log files.
\$FileOwner syslog
\$FileGroup adm
\$FileCreateMode 0640
\$DirCreateMode 0755
\$Umask 0022
\$PrivDropToUser syslog
\$PrivDropToGroup syslog

# Where to place spool and state files
\$WorkDirectory /var/spool/rsyslog

# Include all config files in /etc/rsyslog.d/
\$IncludeConfig /etc/rsyslog.d/*.conf

############################
#### DEFAULT RULES ######
############################

# Default rules for local logging (you can customize or remove as needed)
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
mail.err /var/log/mail.err
*.=debug;auth,authpriv.none;news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;auth,authpriv.none;cron.none;daemon.none;mail.none;news.none -/var/log/messages


# Emergencies are sent to everybody logged in.
*.emerg :omusrmsg:*
"

# Rsyslog :: :: Put config to file
echo "$config_content" | tee /etc/rsyslog.conf

# Rsyslog :: Enable service
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
systemctl restart rsyslog

How can I debug the error?

dingjerry_FTNT · ‎12-16-2024

Hi @solo1 ,

Please collect some outputs with the following commands:

diag de application syslogd -1

diag debug enable

BTW, in the FortiGate Syslog settings, do you have to use "enc-algorithm high"? I can't tell the setting on your Rsyslog server.

So maybe you can try it with "enc-algorithm disable" or "enc-algorithm low"?

Regards,

Jerry

Foritgate Syslog to Ubuntu gives "Decode error" and "No supported cipher suites have been found"

Nominate a Forum Post for Knowledge Article Creation