Finally, I find the root cause about this issue is that my certificate missed the attribute of subjectAltName, after I add this attribute I can enable mutual authentication between loki and promtail successfully.
Here is the detail certificate generation steps:
- ca
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
- loki
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.lokiserver.com" -out loki.server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:lokiserver.com,DNS:www.lokiserver.com") -days 1365 -in loki.server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out loki.server.crt
- promtail
openssl req -newkey rsa:2048 -nodes -keyout client.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.promtailclient.com" -out promtail.client.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:promtailclient.com,DNS:www.promtailclient.com") -days 1365 -in promtail.client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out promtail.client.crt
And the config
- loki
auth_enabled: false
server:
##http_listen_address: 127.0.0.1
http_listen_port: 3100
grpc_listen_port: 9096
http_tls_config:
cert_file: /usr/allen/loki/cert/loki.server.crt
key_file: /usr/allen/loki/cert/server.key
client_auth_type: RequireAndVerifyClientCert
client_ca_file: /usr/allen/loki/cert/ca.crt
- promtail
positions:
filename: /tmp/positions.yaml
clients:
- url: https://lokiserver.com:3100/loki/api/v1/push
tls_config:
ca_file: /usr/allen/loki/cert/ca.crt
cert_file: /usr/allen/loki/cert/promtail.client.crt
key_file: /usr/allen/loki/cert/client.key
server_name: lokiserver.com
insecure_skip_verify: false