Skip to content

forward with tls, (X509 code: 26) purpose error #9741

Closed
@cnu80

Description

@cnu80

Bug Report

Describe the bug
I want to send logs from one server to another one with fluent-bit. I use for output/input the "forward" module.
Without tls it works as expected. When I enable tls I get these errors at the server side:

Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [debug] [downstream] connection #84 failed
Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [error] [input:forward:forward.1] could not accept new connection
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [error] [tls] certificate verification failed, reason: unsuitable certificate purpose (X509 code: 26)
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [debug] [downstream] connection #84 failed

To Reproduce
configuration server side:

 [INPUT]
    Name systemd

[INPUT]
    Name forward
    Listen 0.0.0.0
    Port 24224
    tls on
    tls.debug 4
    tls.verify on
    tls.ca_file /etc/acme-lego/certificates/chain.crt
    tls.crt_file /etc/acme-lego/certificates/xxx.xx.xx.crt
    tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key

[OUTPUT]
    Name stdout
    Match *

configuration client side:

[INPUT]
    Name systemd

[OUTPUT]
    Name forward
    Match *
    Host xxx.xx.xx
    Port 24224
    tls on
    tls.ca_file /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    tls.crt_file /etc/acme-lego/certificates/xxx.axxcp.xx.crt
    tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key

Your Environment
I checked the purpose of the certificate and it is any:


[root@xx certificates]# openssl x509 -noout -in xx.xx.xx.crt  -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Code signing : No
Code signing CA : No
[root@xx certificates]#

Additional context

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions