Vector: TLS PEM cert chain is not correctly being used

Created on 15 May 2020  ยท  2Comments  ยท  Source: timberio/vector

Hi! I have this ca.pem file that has 6 CA certs belonging to two chains (so there's a chain with a root CA and an intermediate CA, then a second chain with a root CA and two intermediate CAs) and when I try validating my client cert with it I get:

โฏ openssl verify -CAfile cas/foo-certs.pem certs/cert.pem
certs/cert.pem: OK

but then when I set this at the config:

    [sources.tls]
      type = "socket"
      address = "0.0.0.0:6514"
      mode = "tcp"
      tls.enabled = true
      tls.crt_path = "/workdir/cert.pfx"
      tls.ca_path = "/crt/ca.pem"
      tls.verify_certificate = true

I keep getting "remote error: tls: unknown certificate authority" but these are the same files. 'Tis a bug, perhaps? Ofc setting verify_certificate = false works.

security socket bug help
Source
picture suvl

Most helpful comment

The TLS CA handling is currently implemented to load a single certificate from the file. I gather openssl command line knows to split the PEM certificates up and load them separately. I will see what we can do to match that behavior.

picture bruceg on 15 May 2020
👍2

All 2 comments

@binarylogic saw similar behaviour using type = "syslog" so maybe it's a wide TLS thingie.

suvl picture suvl on 15 May 2020

The TLS CA handling is currently implemented to load a single certificate from the file. I gather openssl command line knows to split the PEM certificates up and load them separately. I will see what we can do to match that behavior.

bruceg picture bruceg on 15 May 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

valyala picture valyala  ยท  3Comments
LucioFranco picture LucioFranco  ยท  3Comments
raghu999 picture raghu999  ยท  3Comments
binarylogic picture binarylogic  ยท  4Comments
MOZGIII picture MOZGIII  ยท  3Comments