Cribl Stream Rest Collector Reject Unauthorized Certificates Setting Does Not Work as Expected With Self-Signed Certificates

Symptom

In Cribl Stream, a REST Collector source can still fail TLS validation with an error similar to self-signed certificate in certificate chain even when Reject unauthorized certificates is set to false in the source configuration.

Environment

• Cribl Stream
• REST Collector source
• HTTPS endpoint using a self-signed certificate or private CA-signed certificate chain
• Source configuration includes the Reject unauthorized certificates setting

Resolution

Use a trusted CA bundle instead of relying on the Reject unauthorized certificates toggle for the REST Collector.

1. Export or obtain the CA certificate that signs the target HTTPS endpoint.
2. Place the CA certificate on the Cribl node or nodes that run the REST Collector.
3. Configure the Cribl service to trust that CA by setting the NODE_EXTRA_CA_CERTS environment variable to the full path of the CA bundle.
4. Restart or reload the Cribl service so the environment variable is applied.
5. Run the REST Collector again and confirm the TLS error no longer occurs.

If the deployment uses distributed workers, place the certificate and environment variable on the nodes that make the outbound REST Collector connection.

Cause

This can be caused by:

• A product issue specific to the REST Collector source where the Reject unauthorized certificates setting does not reliably control TLS verification behavior for that source.
• A self-signed certificate or private CA certificate chain that is not trusted by the Cribl process by default.
• A difference between process-level trust configuration and per-connection TLS settings, where NODE_EXTRA_CA_CERTS works because it adds trust at process startup instead of depending on the REST Collector source setting.