Closed
Description
Bug Report
Describe the bug
I want to send logs from one server to another one with fluent-bit. I use for output/input the "forward" module.
Without tls it works as expected. When I enable tls I get these errors at the server side:
Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [debug] [downstream] connection #84 failed
Dec 17 13:44:53 xxx fluent-bit[103363]: [2024/12/17 13:44:53] [error] [input:forward:forward.1] could not accept new connection
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [error] [tls] certificate verification failed, reason: unsuitable certificate purpose (X509 code: 26)
Dec 17 13:44:54 xxx fluent-bit[103363]: [2024/12/17 13:44:54] [debug] [downstream] connection #84 failed
To Reproduce
configuration server side:
[INPUT]
Name systemd
[INPUT]
Name forward
Listen 0.0.0.0
Port 24224
tls on
tls.debug 4
tls.verify on
tls.ca_file /etc/acme-lego/certificates/chain.crt
tls.crt_file /etc/acme-lego/certificates/xxx.xx.xx.crt
tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key
[OUTPUT]
Name stdout
Match *
configuration client side:
[INPUT]
Name systemd
[OUTPUT]
Name forward
Match *
Host xxx.xx.xx
Port 24224
tls on
tls.ca_file /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
tls.crt_file /etc/acme-lego/certificates/xxx.axxcp.xx.crt
tls.key_file /etc/acme-lego/certificates/xxx.xx.xx.key
Your Environment
I checked the purpose of the certificate and it is any:
[root@xx certificates]# openssl x509 -noout -in xx.xx.xx.crt -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Code signing : No
Code signing CA : No
[root@xx certificates]#
Additional context