Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vector elasticsearch sink ssl verify failed #22389

Closed
freedomwarrior opened this issue Feb 8, 2025 · 1 comment
Closed

vector elasticsearch sink ssl verify failed #22389

freedomwarrior opened this issue Feb 8, 2025 · 1 comment
Labels
domain: security Anything related to security

Comments

@freedomwarrior
Copy link

freedomwarrior commented Feb 8, 2025
edited
Loading

Hello.
I'm using vector to collect docker logs and send them to victorialogs server.
When vector try to send logs, this error happens:

2025-02-08T07:19:28.554733Z  WARN sink{component_kind="sink" component_id=elasticsearch component_type=elasticsearch}:request{request_id=1}:http: vector::internal_events::http_client: HTTP error. error=error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2092:: unable to get local issuer certificate error_type="request_failed" stage="processing" internal_log_rate_limit=true

But, ssl certificated at the victorialogs server is ok, and issued by letsencrypt. Have no problems connecting to vmui from chrome.

Here is my configs:

vector.yaml
api:
  enabled: true
  address: 127.0.0.1:8686
sources:
  docker:
    type: docker_logs
  vector_metrics:
    type: internal_metrics
transforms:
  msg_parser:
    type: remap
    inputs: [docker]
    source: |
      .message = parse_json(.message) ?? .message
sinks:
  elasticsearch:
    type: elasticsearch
    inputs: [msg_parser]
    endpoints: [https://vlogs-server.com:8427/vlogs/insert/elasticsearch/]
    mode: bulk
    api_version: v8
    compression: gzip
    tls:
#      verify_certificate: false
    auth:
      strategy: basic
      user: admin
      password: secretpassword
    healthcheck:
      enabled: false
    request:
      headers:
        VL-Stream-Fields: source_type,label.com.docker.compose.service
        VL-Time-Field: timestamp
        VL-Msg-Field: message,log
        AccountID: "0"
        ProjectID: "0"

On victorialogs server side I'm using vmauth as a proxy for all my components, and all of them run in docker:

users:
  - username: "admin"
    password: "secretpassword"
    url_map:
      - src_paths:
        - "/vlogs/.*"
        drop_src_path_prefix_parts: 1
        url_prefix: "http://victorialogs:9428/"
      - src_paths:
        - "/vmetrics/.*"
        drop_src_path_prefix_parts: 1
        url_prefix: "http://victoriametrics:8428/"

When I set tls.verify_certificate: false, everything works as expected.

vmauth:v1.110.0
vector:0.42.X-distroless-libc
@freedomwarrior
Copy link
Author

Seems like I found the problem, I forgot to add -httpListenAddr="0.0.0.0:8427" to vmauth.

@pront pront added the domain: security Anything related to security label Feb 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
domain: security Anything related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pront @freedomwarrior