Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

forward with tls, (X509 code: 26) purpose error #9741

Open
cnu80 opened this issue Dec 17, 2024 · 1 comment
Open

forward with tls, (X509 code: 26) purpose error #9741

cnu80 opened this issue Dec 17, 2024 · 1 comment

Comments

@cnu80
Copy link

cnu80 commented Dec 17, 2024

Bug Report

Describe the bug
I want to send logs from one server to another one with fluent-bit. I use for output/input the "forward" module.
Without tls it works as expected. When I enable tls I get these errors at the server side:

Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [debug] [downstream] connection #84 failed
Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [error] [input:forward:forward.1] could not accept new connection
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [error] [tls] certificate verification failed, reason: unsuitable certificate purpose (X509 code: 26)
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [debug] [downstream] connection #84 failed

To Reproduce
configuration server side:

 [INPUT]
    Name systemd

[INPUT]
    Name forward
    Listen 0.0.0.0
    Port 24224
    tls on
    tls.debug 4
    tls.verify on
    tls.ca_file /etc/acme-lego/certificates/chain.crt
    tls.crt_file /etc/acme-lego/certificates/xxx.xx.xx.crt
    tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key

[OUTPUT]
    Name stdout
    Match *

configuration client side:

[INPUT]
    Name systemd

[OUTPUT]
    Name forward
    Match *
    Host xxx.xx.xx
    Port 24224
    tls on
    tls.ca_file /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    tls.crt_file /etc/acme-lego/certificates/xxx.axxcp.xx.crt
    tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key

Your Environment
I checked the purpose of the certificate and it is any:


[root@xx certificates]# openssl x509 -noout -in xx.xx.xx.crt  -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Code signing : No
Code signing CA : No
[root@xx certificates]#

Additional context

@cnu80
Copy link
Author

cnu80 commented Dec 17, 2024

I am using [ info] [fluent bit] version=3.2.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant