This message originated from Cribl Community Slack.
Click here to view the original link.
Does the REST API collectors use a different cert store other than the operating system? I have a cert for a server that is trusted by the server but when running it through the rest collector get a self-signed error.
Solved
REST API Collector Fails With Self-Signed Certificate Error Despite Trusted Cert
Best answer by Randy Corelli
@user, you're correct. If you have a self-signed cert that's used by a REST Collector then you'll want to set that
Links for this message:
image.png
NODE_EXTRA_CA_CERTS environment variable to tell the Worker that it's a trusted cert and get past that error.
I'd also recommend setting that environment variable as a systemd override vs. directly in the service file itself. That just helps avoid it being unset should an upgrade ever change the service file itself. The command for that is systemctl edit cribl.service. Screenshot below shows the general syntax (which is also in the docs)Links for this message:
image.png
Cribl Stream should be able to refer to the OS cert store. What OS? Is the cert store defined by env vars? In a non-standard location?
RHEL 8. It is in a standard location.
I did just come across in the docs: Add a set of trusted root CAs to the list of trusted CAs that Cribl Stream trusts. Set the
NODE_EXTRA_CA_CERTS environment variable for each Worker Node. For example, if you are using systemd, add the following line in each Worker Node’s systemd unit file (replace /<path>/<to>/<the>/<directory>/<containing>/<certs>/ca.pem with the path to your CA .pem file).
So I'm guessing the environment variable have to be set for the worker services?
@user, you're correct. If you have a self-signed cert that's used by a REST Collector then you'll want to set that
Links for this message:
image.png
NODE_EXTRA_CA_CERTS environment variable to tell the Worker that it's a trusted cert and get past that error.
I'd also recommend setting that environment variable as a systemd override vs. directly in the service file itself. That just helps avoid it being unset should an upgrade ever change the service file itself. The command for that is systemctl edit cribl.service. Screenshot below shows the general syntax (which is also in the docs)Links for this message:
image.png
Ok, I will try that. I figured since it is a certificate trusted by our corporate CA which is trusted by the server, it would just work.
For the sources where you specify the TLS certs then I believe you can give it the chain to get the trust from the CA cert. The REST Collector doesn't really have that setting so when it sees the cert is self-signed it tends to complain about it. That's been my experience at least
You're very welcome!
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.