Merge pull request #4407 from tejunior/troubleshooting-proxy-certific…

…ate-docs Adding proxy certificate troubleshooting session
newrelic · Oct 20, 2021 · e54fc16 · e54fc16
2 parents c421223 + d160730
commit e54fc16
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/...content/docs/logs/forward-logs/forward-your-logs-using-infrastructure-agent.mdx b/...content/docs/logs/forward-logs/forward-your-logs-using-infrastructure-agent.mdx
@@ -795,6 +795,30 @@ If you encounter problems with configuring your log forwarder, try these trouble
 
   To solve this problem, check your `newrelic-infra.yml` file, and ensure the `proxy` parameter adheres to this form.
 
+  If you're using `caBundleFile` or `caBundleDir` in order to specify any certificate, we recommend to follow the below rules for each OS:
+
+  **Linux**
+  For `HTTP` proxies you don't need to setup any certificates. The plugin loads the system certificates and New Relic sends logs into the logging endpoint. However, you can specify the proxy self-signed certificate (PEM file) using either the `caBundleFile` or `caBundleDir` parameters.
+
+  **Windows**
+  - For `HTTP` proxies you don't need to setup any certificates. The plugin loads the system certificates.
+
+  - For `HTTPS`, you can configure it in one of the following ways:
+
+  * Import the proxy certificate to the system pool (Recommended)
+  Import the proxy self-signed certificate (PEM file) by using the MMC tool. Refer to [this link](https://www.ssls.com/knowledgebase/how-to-import-intermediate-and-root-certificates-via-mmc/), and in **Step 2** ensure to import it in your `Trusted Root Certification Authorities`, instead of in the `Intermediate Certification Authorities`.
+
+  * Using the `caBundleFile` and `caBundleDir` parameters
+  On Windows, we cannot load both the certificates from the system certificate pool and the ones specified with the `caBundleFile` `caBundleDir` parameters. So, if you are using `caBundleFile` or `caBundleDir`, ensure that the following certificates are placed in the same PEM file (when using `caBundleFile`) or in the same directory (when using `caBundleDir`):
+  - The Proxy certificate (because it's an `HTTPS` proxy).
+  - The Logging Endpoint certificate (eg. `https://log-api.newrelic.com/log/v1`).
+  - The Infrastructure Agent certificate (eg. `https://infra-api.newrelic.com`).
+
+  You can check the certificates by running:
+  ```
+  # openssl s_client -connect log-api.newrelic.com:443 -servername log-api.newrelic.com
+  ```
+
   </Collapser>
 
   <Collapser