-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can fluent-bit talk with Fluentd v0.14 in_forward using TLS? #350
Comments
we were doing some troubleshooting today. We found that Fluentd v0.14 uses the Basic Constraints extension when configuring SSL/TLS that makes the problem visible, in Fluentd v0.12 this is not enabled and the communication works well. No solution is yet available as we are figuring out where the fix or improvement should be done. More updates within the week. |
Thank you for your information. I will check updates. |
I managed to make it work, it was a setup issue. I've generated a self-signed cert as this:
then in Fluentd 0.14.20 I started it with the following config:
then started Fluent Bit as follows:
let me know how it goes |
I could not confirm working with TLS.
My openssl command version is I removed
|
My key.pem start with |
what command did you use to generate the certificates ? |
I've tried following 4 commands:
|
Why is this issue mark as fixed? This is not working for me either. I tried the method described here: #350 (comment) and got the exact same errors as @okkez above... |
I've removed the fixed label. would you please re-run Fluent Bit but adding the option '-p tls.debug=3' on forward and paste here the output ? |
My exact setup was this: OpenSSL command: Fluentd with version fluentd-0.12.32 with gem 'fluent-plugin-secure-forward' version '0.4.5' The config
On the client side:
|
Just a bit more information:
|
I was dealing with the same thing yesterday, my scenario is as follows (using Fluentd to isolate the issue):
is anybody able to make work that kind of local/self-signed certs ? |
We also faced this issue. Server side is Fluentd 0.14.21 with TLS in_forward, essentially the exact same
|
@edsiper: I dug deeper and it seems that there's two problems in fluentd certificate creation that cause this:
Here's a sample patch to fluentd that seems to fix the problem for me:
|
@mpeltonen thanks so much for helping to troubleshoot/fix this. for now waiting for some feedback on fluent/fluentd#1711 |
I agree with @mpeltonen that this Certificate generation code is the cause.
In addition to it, my suggestions;
cf. https://github.com/nahi/ruby-crypt/blob/master/CA.rb/gen_cert.rb#L61-L115 |
@nahi hey! thanks for comments. at this point we need to move the conversation to fluent/fluentd#1711 |
@edsiper Indeed. As @repeatedly asked me I posted here but it should be an issue of fluentd. |
Issue have been fixed on Fluentd side. |
This adds a basic explanation on how to register & manipulate Fluent Bit as Windows Service. This should be useful for users who want to install Fluent Bit to their Windows servers. Signed-off-by: Fujimoto Seiji <fujimoto@ceptord.net>
I'm trying to use fluent-bit with Fluentd v0.14.20 in_forward using TLS with private CA.
fluent-bit: 70d0594 (build myself)
fluent-bit.conf:
fluent.conf:
I got errors from fluent-bit:
I got errors from Fluentd in_forward:
Configuration for in_forward works with Fluentd's out_forward using following configuration:
I've created CA files following command:
Additional information, without TLS works well.
The text was updated successfully, but these errors were encountered: