Adding proxy certificate troubleshooting session

newrelic · Oct 20, 2021 · 3c1db60 · 3c1db60
1 parent c421223
commit 3c1db60
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/...content/docs/logs/forward-logs/forward-your-logs-using-infrastructure-agent.mdx b/...content/docs/logs/forward-logs/forward-your-logs-using-infrastructure-agent.mdx
@@ -795,6 +795,32 @@ If you encounter problems with configuring your log forwarder, try these trouble
 
   To solve this problem, check your `newrelic-infra.yml` file, and ensure the `proxy` parameter adheres to this form.
 
+  If you're using `caBundleFile` or `caBundleDir` in order to specify any certificate, we recommend to follow the below rules:
+
+  **Linux**
+  For `HTTP` proxies we don't need to setup any certificate. Out of the box the plugin will load the system certificates and we will be able to send logs into the logging endpoint.
+
+  For `HTTPS` proxies you can specify the proxy self-signed certificate (PEM file) using either the `caBundleFile` or `caBundleDir` parameters.
+
+  **Windows**
+  Similar to Linux, for `HTTP` proxies we don't need to setup any certificate. Out of the box the plugin will load the system certificates.
+
+  For `HTTPS`, **special attention is required**. There are two approaches to configure it: by importing them to the system certificate pool (recommended), or by using the `caBundleFile`/`caBundleDir` options.
+
+  Approach 1 - import the proxy certificate to the system pool (**recommended**)
+  The recommended process to import the proxy self-signed certificate (PEM file) using the MMC tool. You can refer to [this link](https://www.ssls.com/knowledgebase/how-to-import-intermediate-and-root-certificates-via-mmc/), but in Step 2 ensure to import it in your `Trusted Root Certification Authorities` instead of importing it in the `Intermediate Certification Authorities`.
+
+  Approach 2 - using `caBundleFile`/`caBundleDir`
+  On Windows (differently from Linux) we cannot load both the certificates from system certificate pool and the one(s) specified via `caBundleFile`/`caBundleDir`. So, if you are using `caBundleFile` or `caBundleDir`, you must **ensure that the following certificates are placed in the same PEM file (when using `caBundleFile`) or in the same directory (when using `caBundleDir`)**:
+  * The Proxy certificate (because it's a `HTTPS` proxy)
+  * The Logging Endpoint certificate (eg. `https://log-api.newrelic.com/log/v1`)
+  * The Infrastructure Agent certificate (eg. `https://infra-api.newrelic.com`)
+
+  Certificates can be checked using the `openssl` command:
+  ```
+  # openssl s_client -connect log-api.newrelic.com:443 -servername log-api.newrelic.com
+  ```
+
   </Collapser>
 
   <Collapser