I’m trying to configure a webhook to ship logs to Logstash but I’m getting this error:
“KumoMTA internal: failed to connect to any candidate hosts: only one connection attempt per session”
The Logstash instance uses self-signed certificates and my best guess is that’s what’s causing the failure. Is there a way to trust the self-signed certs so I can verify that"
KumoMTA typically does not have any issues with self-signed certs. To eliminate that concern, you could set enable_tls to “OpportunisticInsecure” or even “Disabled”
I think it is more likely something else in your configuration or even in Logstash, but it is hard to tell without seeing your full configs.
Thanks Tom. The webhook configuration is simply:
log_hooks:new_json {
name = 'webhook',
url = 'https://logstash:5044',
log_parameters = {
meta = {'x-master-id', 'x-sender-id'},
},
}
I’ve spun up a simple set up locally with Kumomta, Logstash and Elasticsearch running in docker. I confirmed that i f I disable tls in Logstash and configure use http in the hook url then the webhook works just fine. When I reenable TLS in logstash and update the url to use https, nothing comes through. I’m not getting any errors when running locally either, just no data in logstash.
I’m not seeing the enable_tls option in kumo.http.build_client documentation or code.
I think kumo.http.build_client: use system certificate store · KumoCorp/kumomta@3966ca5 · GitHub is what you want here. That’ll show up in our package repos within the next 30-60 minutes or so
Thanks Wez! I tried the new image plus adding my self-signed cert to trusted certificates but no change:
kumomta | 2025-03-03T20:23:38.991947Z TRACE logging-2 kumod::logging::files: do_record JsonLogRecord { kind: TransientFailure, id: "644ec3a8f86d11ef95130242ac140003", sender: "sender@example.com", recipient: "recipient@example.com", queue: "webhook.log_hook", site: "unspecified->webhook.log_hook@lua:make.webhook.log_hook", size: 728, response: Response { code: 400, enhanced_code: None, content: "KumoMTA internal: failed to connect to any candidate hosts: only one connection attempt per session", command: None }, peer_address: None, timestamp: ...feedback_report: None, meta: {}, headers: {}, delivery_protocol: Some("Lua"), reception_protocol: Some("LogRecord"), nodeid: a15a0028-22d4-492c-8665-796f80ecdc3d, tls_cipher: None, tls_protocol_version: None, tls_peer_subject_name: ... }
gist with minimal steps to reproduce:
https://gist.github.com/stegojulia/feda92f639d5590577ed6666e267047b
When I try an older Kumo image (e.g. kumomta:2024.06.10-84e84b89) the error is different:
make.webhook.log_hook", addr: 0.0.0.0 } }}: kumod::ready_queue: failed to send message id SpoolId
...
kumomta | caused by: error sending request for url (https://testserver:5044/): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
kumomta | 2025-03-03T20:50:33.346255Z DEBUG readyq-2 kumod::ready_queue: Error in Dispatcher::run for unspecified->webhook.log_hook@lua:make.webhook.log_hook: deliver_message: callback error
kumomta | stack traceback:
kumomta | [C]: in local 'poll'
kumomta | [string "?"]:5: in method 'send'
kumomta | [string "/opt/kumomta/etc/policy/init.lua"]:38: in function <[string "/opt/kumomta/etc/policy/init.lua"]:31>
kumomta | caused by: error sending request for url (https://testserver:5044/): error tryi
```
It works ok with a trusted CA or http.you need to set SSL_CERT_FILE and/or SSL_CERT_DIR in the environment of the spawned kumod process in order for it to find your adjusted set of trusted certificates if you want its clients to trust your certificates