Mqtt sink: unable to perform TLS authentication via client certificate #23838
Description
A note for the community
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Problem
I would like to use SSL client certificate based authentication for mqtt sink, but is doesn't work as expected.
Accordingly to documentation, in order to use client certificate one have to provide the following configuration options: tls.ca_file, tls.crt_file, tls.key_file, tls.key_pass.
A deeper examination of the source code reveals that the relevant client identification parameters are not used:
vector/src/sinks/mqtt/config.rs
Line 166 in 74380c2
The same is confirmed by log message:
DEBUG rustls::client::common: Client auth requested but no cert/sigscheme available
Configuration
api:
enabled: true
address: 0.0.0.0:8686
sources:
generate_syslog:
type: "demo_logs"
format: "syslog"
count: 100
sinks:
sink_mqtt:
type: mqtt
inputs:
- generate_syslog
encoding:
codec: json
host: xxx.xxx.xxx
port: 28883
user: ""
password: ""
client_id: "logs_forwarder"
topic: "my.topic"
tls:
enabled: true
ca_file: "/etc/vector/ssl/ca-chain.crt"
crt_file: "/etc/vector/ssl/my.cert.pem"
key_file: "/etc/vector/ssl/my.key.pem"
key_pass: "my.secret"
Version
vector 0.49.0 (x86_64-unknown-linux-musl dc7e792 2025-08-12 13:47:08.632326804)
Debug Output
vector | 2025-09-24T01:15:09.259133Z DEBUG rustls::webpki::anchors: add_parsable_certificates processed 2 valid and 0 invalid certs
vector | 2025-09-24T01:15:09.259174Z DEBUG rustls::client::hs: No cached session for DnsName("xxx.xxx.xxx")
vector | 2025-09-24T01:15:09.259233Z DEBUG rustls::client::hs: Not resuming any session
vector | 2025-09-24T01:15:09.261501Z DEBUG rustls::client::hs: Using ciphersuite TLS13_AES_256_GCM_SHA384
vector | 2025-09-24T01:15:09.261521Z DEBUG rustls::client::tls13: Not resuming
vector | 2025-09-24T01:15:09.261586Z DEBUG rustls::client::tls13: TLS1.3 encrypted extensions: []
vector | 2025-09-24T01:15:09.261589Z DEBUG rustls::client::hs: ALPN protocol is None
vector | 2025-09-24T01:15:09.261594Z DEBUG rustls::client::tls13: Got CertificateRequest CertificateRequestPayloadTls13 { context: , extensions: [SignatureAlgorithms([ECDSA_NISTP256_SHA256, ECDSA_NISTP384_SHA384, ECDSA_NISTP521_SHA512, ED25519, ED448, Unknown(2074), Unknown(2075), Unknown(2076), Unknown(2057), Unknown(2058), Unknown(2059), RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, Unknown(771), Unknown(769)])] }
vector | 2025-09-24T01:15:09.261600Z DEBUG rustls::client::common: Client auth requested but no cert/sigscheme available
Example Data
No response
Additional Context
No response
References
Related PR(Closed): #21062