rsyslog com TLS peer de erro não forneceu um certificado, não tem permissão para falar com ele

Estou recebendo a seguinte mensagem de erro. Eu fui mais e mais nas minhas configurações parece ok. Eu tentei diferente StreamDriver.authmode , x509/name ou x509/certvalid mas o mesmo erro. qualquer ajuda muito apreciada.

May 23 13:10:56 SYSLOG01 rsyslogd: peer did not provide a certificate, not permitted to talk to it [v8.24.0 try http://www.rsyslog.com/e/2085 ]
May 23 13:10:56 SYSLOG01 rsyslogd: netstream session 0x7f7e08673e20 from 10.1.4.42 will be closed due to error  [v8.24.0 try http://www.rsyslog.com/e/2089 ]
May 23 13:10:58 SYSLOG01 rsyslogd: peer did not provide a certificate, not permitted to talk to it [v8.24.0 try http://www.rsyslog.com/e/2085 ]
May 23 13:10:58 SYSLOG01 rsyslogd: netstream session 0x7f7e08670f10 from 10.1.4.42 will be closed due to error  [v8.24.0 try http://www.rsyslog.com/e/2089 ]

Aqui está a configuração do meu servidor:

Servidor SYSLOG:

    [root@syslog01 ~]# cat /etc/redhat-release
    CentOS Linux release 7.5.1804 (Core)


root@SYSLOG01 ~]# rsyslogd -v
rsyslogd 8.24.0, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

parte do /etc/rsyslog.conf:

$DefaultNetstreamDriver gtls

#TLS Certificate
$DefaultNetstreamDriverCAFile  /etc/pki/rsyslog/root-.crt
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/Star.crt
$DefaultNetstreamDriverKeyFile  /etc/pki/rsyslog/privatekey.key
module(load="imtcp"
       MaxSessions="2000"
       StreamDriver.mode="1"
       StreamDriver.authmode="x509/name"
        PermittedPeer="*.mydomain.com"
)
input(type="imtcp" port="20514" name="tcp-tls")

Cliente RSYSLOG:

    [root@syslog02 ~]# cat /etc/redhat-release
    CentOS Linux release 7.5.1804 (Core)

root@SYSLOG02 ~]# rsyslogd -v
rsyslogd 8.24.0, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

parte do /etc/rsyslog.conf:

    $DefaultNetstreamDriverCAFile /etc/pki/rsyslog/root-.crt
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode x509/name # server is NOT authenticated

        local6.info action(
                        type="omfwd"
                        Target="syslog01.mydomain.com"
                        Port="20514"
                        Protocol="tcp"
                        RebindInterval="30"
                        ResendLastMSGOnReconnect="on"
                        queue.FileName="srvrfwd"
                        queue.MaxDiskSpace="1g"
                        queue.SaveOnShutdown="on"
                        queue.Type="LinkedList"
                        action.resumeRetryCount="-1"
        )

Eu verifiquei o certificado do cliente sem problemas:

[root@syslog02 ~]# openssl s_client -connect syslog01.mydomain.com:20514
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.mydomain.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.mydomain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
MIIFIDCCBAigAwIBAgIJAJsvNKt+qgSmMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
uoixJBGlSKln8o6QnTI8PEwnS20=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.mydomain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Acceptable client certificate CA names
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2000 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4B29E9A82F76C46DE7E2D5977A99E82DA574E11A60CCCCA53A07DC02815FC130
    Session-ID-ctx:
    Master-Key: VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaA2E3CF4AD6AF7826F3F4306F68225F
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1527107891
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0