NOTE: This usually happens on Windows machines that have for some reason do not have their CN = ISRG Root X1 certificates.
This manifests usually when Fluent-bit on those machines stops sending data and gets a similar message - [tls] error: unexpected EOF
example:
[2025/02/12 22:32:27] [error] [tls] error: unexpected EOF
[2025/02/12 22:32:27] [debug] [upstream] connection #1480 failed to <customer_id>.collect.observeinc.com:443
[2025/02/12 22:32:27] [debug] [task] task_id=0 reached retry-attempts limit 1/1
[2025/02/12 22:32:27] [error] [engine] chunk ‘1828-1739399533.130770400.flb’ cannot be retried: task_id=0, input=tail.2 > output=http.0
[2025/02/12 22:32:27] [error] [output:http:http.0] no upstream connections available to <customer_id>.collect.observeinc.com:443
[2025/02/12 22:32:27] [debug] [task] destroy task=0000023ECBE0D500 (task_id=0)
Those certificates can be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem
Alternatively they can be exported from Windows Machines that have them and imported into the Windows Machines that do not.
Root CA Certificate listing and filter
If you want to filter certificates by a specific subject or other criteria, you can use the Where-Object cmdlet. For example powershell:
# Filter certificates by subject
$filteredCAs = $rootCAs | Where-Object { $_.Subject -match “ISRG” }
# Display the filtered certificates
$filteredCAs | Select-Object -Property Subject, Thumbprint, NotBefore, NotAfter | Format-Table -AutoSize
Root CA Certificate import/installation
Fill in Your-Root-CA-Name with one of names of the certificates
Here’s a complete script to locate and export a root CA certificate:
# Define the subject name of the root CA certificate
$caSubject = "Your-Root-CA-Name"
# Locate the root CA certificate in the Trusted Root Certification Authorities store
$rootCA = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Subject -match $caSubject }
if ($rootCA) {
# Define the export path
$exportPath = "C:\path\to\export\root-ca-certificate.cer"
# Export the certificate
$rootCA | Export-Certificate -FilePath $exportPath -Type CERT
# Verify the export
if (Test-Path $exportPath) {
Write-Host "Root CA certificate exported successfully to: $exportPath"
} else {
Write-Host "Failed to export the root CA certificate."
}
} else {
Write-Host "Root CA certificate not found in the store."
}
Root CA Certificate import
On the machine that needs to have the certificate imported you can import using the following powershell script:
# Define the path to the certificate
$certPath = "C:\path\to\your\root-ca-certificate.cer"
# Import the certificate into the Trusted Root Certification Authorities store
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\Root
# Verify the installation
$cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "Your-CA-Name" }
if ($cert) {
Write-Host "Certificate installed successfully:"
$cert | Format-List *
} else {
Write-Host "Certificate installation failed or not found."
}