[rsyslog-notify] Forum Thread: Error: could not load module lmnsd_gtls.so, only init script - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Mar 12 16:53:44 CET 2014 

User: mvoge 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24346#p24346

Message: 
----------
Hi,

I am trying to use rsyslog with TLS encryption. The certificates I want to
use come from puppet and were generated using the command `puppet cert
generate' (see <!-- m --><a class="postlink"
href="http://docs.puppetlabs.com/references/3.4.3/man/cert.html">http://docs.puppetlabs.com/references/3
... /cert.html</a><!-- m -->).

The problem is that it doesn't work when I start rsyslog using the
/etc/init.d/rsyslog script. When I do: /etc/init.d/rsyslog start, then I
see in my /var/log/messages:
[code:cvy8guaw]
Mar 12 15:35:57 test-logclient kernel: imklog 5.8.10,
log source = /proc/kmsg started.
Mar 12 15:35:57 test-logclient rsyslogd: [origin
software="rsyslogd" swVersion="5.8.10" x-pid="23811"
x-info="http://www.rsyslog.com"] start
Mar 12 15:35:57 test-logclient rsyslogd-2068: could not load
module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078
 [try http://www.rsyslog.com/e/2068 ]
Mar 12 15:35:57 test-logclient rsyslogd-2068: could not load
module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078
 [try http://www.rsyslog.com/e/2068 ]
[/code:cvy8guaw]
The same thing happens on both rsyslog client and server.

There are several things I don't understand:

1. I see using `ps aux | grep rsyslogd' that the command that the init
script runs is: `/sbin/rsyslogd -i /var/run/syslogd.pid -c 5' and that also
becomes clear from looking at the /etc/init.d/rsyslog script, in my case on
line 43 within the start() function:
`daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS', where
PIDFILE=/var/run/syslogd.pid, exec=/sbin/rsyslogd, and SYSLOGD_OPTIONS="-c
5".

Running this exact same command as root in the shell, everything works
fine! I have attached a zipped debug log acquired with
[code:cvy8guaw]/sbin/rsyslogd -i /var/run/syslogd.pid -c 5 -dn >
rsyslog_logfile.log[/code:cvy8guaw] and I see no errors there!


2. When I don't use the puppet certificates, but self-generated
certificates following the guide here: <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/rsyslog_secure_tls.html">http://www.rsyslog.com/doc/rsyslog_secure_tls.html</a><!--
m -->, then everything again works fine, using the same rsyslog.conf (of
course exchanging the cert paths). The init script doesn't cause problems.


3. I know from this post: <!-- l --><a class="postlink-local"
href="http://kb.monitorware.com/post21070.html#p21070">post21070.html#p21070</a><!--
l --> that the error "could not load module
'/usr/local/lib/rsyslog/lmnsd_gtls.so', rsyslog error -2078" actually
means: "I can't read your ca.pem file because the permissions are wrong, so
I'll fail loading the module altogether." But that doesn't seem to be the
problem. Because the permissions of my self-created certs are even more
restrictive than those of the puppet certs. E.g. the CA file:
[code:cvy8guaw]-r--------. 1 root root 1419 Feb  9 15:53
/etc/pki/rsyslog/ca.pem # own[/code:cvy8guaw]
[code:cvy8guaw]-rw-r--r--. 1 root root 1907 Mar  5 17:50
/var/lib/puppet/ssl/certs/ca.pem # puppet[/code:cvy8guaw]
Even if I set all the certs permissions (CAFile, CertFile, KeyFile) to 644,
even for the private key, it still won't work in the puppet cert case.



So, I added the options `-dn' to the init script to turn on debugging
there. From that I managed to get a decent debug log that contains the
error (also attached). I do find error messages like this:
[code:cvy8guaw]
7732.554682580:7fd1aae43700: Requested to load module
'lmnsd_gtls'
7732.554693034:7fd1aae43700: loading module
'/lib64/rsyslog/lmnsd_gtls.so'
7732.556239705:7fd1aae43700: source file nsd_gtls.c
requested reference for module 'lmnet', reference count now 6
7732.556249263:7fd1aae43700: source file nsd_gtls.c
requested reference for module 'lmnsd_ptcp', reference count now 3
7732.558622345:7fd1aae43700: GTLS CA file:
'/var/lib/puppet/ssl/certs/ca.pem'
7732.559095055:7fd1aae43700: unexpected GnuTLS error -64 in
nsd_gtls.c:583: Error while reading file.
7732.559108609:7fd1aae43700: Called LogError, msg: could
not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078

7732.559128150:7fd1aae43700: MsgSetTAG in: len 14,
pszBuf: rsyslogd-2068:
7732.559134045:7fd1aae43700: MsgSetTAG exit: pMsg->iLenTAG
14, pMsg->TAG.szBuf: rsyslogd-2068:
rsyslogd: could not load module '/lib64/rsyslog/lmnsd_gtls.so',
rsyslog error -2078
 [try http://www.rsyslog.com/e/2068 ]
[/code:cvy8guaw]
Which goes completely along the lines of that other thread (post21070, see
link above, since I'm not allowed to put more URLs). So it might be a
permissions issue, but I don't see how.

Is the init script run as a different user somehow?

Btw., as you can see from the log messages, I am using rsyslog version
5.8.10. I run Scientific Linux 6.5 (so RedHat, CentOS like).

Any comments and ideas highly appreciated.

More information about the rsyslog-notify mailing list