Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate verify failing when using a proxy for the vector sink #17629

Closed
joemiller opened this issue Jun 8, 2023 · 2 comments · Fixed by #17651
Closed

Certificate verify failing when using a proxy for the vector sink #17629

joemiller opened this issue Jun 8, 2023 · 2 comments · Fixed by #17651
Labels
domain: networking Anything related to Vector's networking domain: security Anything related to security sink: vector Anything `vector` sink related type: bug A code related bug.

Comments

@joemiller
Copy link
Contributor

joemiller commented Jun 8, 2023

A note for the community

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

Attempting to use a CONNECT proxy with the vector sink results in certificate verification error like:

error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921

Configuration

The relevant part of the config is:

    proxy:
      enabled: true
      https: https://proxy.dom.tld:8443

    sinks:
      vector_aggregator:
        type: vector
        inputs:
          - add_env_vars
        address: vector-aggregator.vector.svc.cluster.local:6000
        tls:
          enabled: true
          verify_certificate: false
          verify_hostname: false
          ca_file: /tls/ca.crt
          key_file: /tls/tls.key
          crt_file: /tls/tls.crt

Version

0.30.0

Additional Context

I am able to successfully connect through the proxy using curl.

I believe the proxy side (envoy) is working as I see successful proxy messages in the envoy logs.

Interestingly, when I setup a dummy http sink that targets the same URL I do not receive tls verification errors. This leads me to suspect the http sink's tls-config is being used by the global proxy config, but the same is not the case for the vector sink.

References

These issues seem similar, if I understand them correctly. Is this a case of needing to port over a similar change to the vector sink? I am weak with rust and not able to read the code well enough to determine a path forward at this time.

#13683
#13759

@joemiller
Copy link
Contributor Author

Attempt to address this issue here: #17629

@neuronull
Copy link
Contributor

Thanks @joemiller , we'll get this looked at. Appreciate the added effort to provide a solution!

@jszwedko jszwedko added sink: vector Anything `vector` sink related domain: security Anything related to security domain: networking Anything related to Vector's networking labels Jun 12, 2023
github-merge-queue bot pushed a commit that referenced this issue Jul 8, 2023
fixes #17629

<!--
**Your PR title must conform to the conventional commit spec!**

  <type>(<scope>)!: <description>

  * `type` = chore, enhancement, feat, fix, docs
  * `!` = OPTIONAL: signals a breaking change
* `scope` = Optional when `type` is "chore" or "docs", available scopes
https://github.com/vectordotdev/vector/blob/master/.github/semantic.yml#L20
  * `description` = short description of the change

Examples:

  * enhancement(file source): Add `sort` option to sort discovered files
  * feat(new source): Initial `statsd` source
  * fix(file source): Fix a bug discovering new files
  * chore(external docs): Clarify `batch_size` option
-->

---------

Co-authored-by: neuronull <neuronull@pm.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
domain: networking Anything related to Vector's networking domain: security Anything related to security sink: vector Anything `vector` sink related type: bug A code related bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants