For Cloud Platform to forward your logs to your destination service, you must have already installed a valid SSL certificate. When troubleshooting your SSL certificate, review the following SSL certificate issues and any returned HTTP response codes to address the most common problems with log forwarding:
- Certificate expiration date: The certificate’s expiration must be set to a date at least one month in the future.
- Valid public key: Confirm that you have provided the correct public key for the SSL certificate that you have uploaded to the log forwarding service.
- Matching SSL certificates: Confirm the CA certificate you uploaded to the log forwarding destination infrastructure was signed with the same public key you uploaded to Cloud Platform.
- Certificate order: If you are using bundled certificates, ensure the certificates in the chain are in the order they were generated. Your infrastructure’s certificate should be the first in the chain, and the final certificate in the chain should be the CA certificate for the signing authority. For more information, see About SSL certificates and chain certificates.
- Private key: The private key and certificate signing request (CSR) must be generated on the infrastructure on which you are installing the certificate for the certificate to install correctly. If the private key has been lost, the certificate must be reissued with a new CSR.
Before you try to set up log forwarding:
- Check if the destination is supported.
- Ensure that there is no firewall that is blocking the flow of logs.
Log forwarding response codes
After uploading your certificate to the log forwarding service, Cloud Platform attempts to evaluate the connection, and returns an error message if it can’t. The details for each of the following response codes can help you diagnose problems with your log forwarding configuration:
| Response code | Error | Description | Applicable Cloud Platform version |
|---|---|---|---|
| 100 | Error on Multiple Layers | The destination has configuration issues on both the balancer and web layers. The format of this error is:
Sample error message:
| Cloud Next |
| 200 | (None) | The log forwarding service connected with the remote infrastructure. | Cloud Next and Cloud Classic |
| 301 | SSL connection error | Cloud Platform couldn’t establish a SSL connection with the log forwarding service. The error message should contain a stack trace. | Cloud Next and Cloud Classic |
| 302 | SSL verification error | SSL verification failed, the SSL certificate is invalid, or SSL is not accepted by the infrastructure. For more information, see the Diagnostics section of the openssl-verify information page at OpenSSL.org. | Cloud Next and Cloud Classic |
| 303 | Invalid key | The SSL certificate wasn’t signed with the same key as the infrastructure’s SSL certificate. | Cloud Next and Cloud Classic |
| 401 | Connection timed out | The destination infrastructure hasn’t responded after a pre-determined period of time. The error message does not include information regarding the cause of the time out. | Cloud Next and Cloud Classic |
| 402 | Connection refused | The remote infrastructure being accessed isn’t configured to listen at the requested port, or has a firewall installed that’s rejecting the connection request initiated from Cloud Platform. | Cloud Next and Cloud Classic |
| 403 | Connection aborted | The client sent a TCP Reset (RST) response before the infrastructure accepted the connection requested by client. The remote infrastructure may have a firewall enabled, have NAT or router issues, a slow connection, or the infrastructure didn’t send the SSL/TLS closure notification as required by the SSL/TLS specifications. | Cloud Next and Cloud Classic |
| 404 | Connection reset | The destination infrastructure abruptly closed its end of the connection. Review the infrastructure logs on the destination infrastructure for application protocol errors and traffic spikes. | Cloud Next and Cloud Classic |
| 405 | Socket error | Communication between the Cloud Platform and destination infrastructure was blocked (such as by antivirus software or a firewall), a previously established network connection is terminated, or the destination infrastructure crashed or rebooted. | Cloud Next and Cloud Classic |
| 406 | Host unreachable | The log forwarding client cannot connect to the specified host. It might be that the host is on a private network. | Cloud Next and Cloud Classic |
| 407 | Peer verification failed, please check the destination certificate chain matches the infrastructure certificate chain | The log forwarding client can’t verify the infrastructure’s identity. Certificates are incorrect or missing. Use
Make sure you’ve included in the log forwarding destination’s certificate field all the CA certificates from the chain in the listed depth order (biggest depth is last). | Cloud Next and Cloud Classic |
| 408 | Installation Error | Issue occurred during the setup of log forwarding resources. To resolve this issue, you can disable and re-enable the log forwarding destination. If the problem persists, contact Acquia Support. | Cloud Next |
| 500 | Unknown | An error not matching any of the previously described conditions has occurred. | Cloud Next and Cloud Classic |