Rsyslog - "Warning: CA certificate is not set" but TLS forwarding still works

I am configuring rsyslog to forward over TCP/TLS. I was curious why, unlike HTTPS, I had to add the certificate to my client, so I went against the README and commented out the cert config, leaving me with this:

# global(DefaultNetstreamDriverCAFile="/etc/ssl/cert.pem")

ruleset(name="fluentd") {
        action(
                type="omfwd"
                target="<my domain>"
                port="24224"
                protocol="tcp"
                StreamDriver="gtls"
                StreamDriverMode="1"
                StreamDriverAuthMode="anon"
)
}

Now, I get a Warning: CA certificate is not set [v8.2001.0 try https://www.rsyslog.com/e/2329 ] in the rsyslog logs, however the log messages are still successfully forwarded to my fluentd instance, which is using TLS.

Why is this? Is the cert even necessary?

Setting StreamDriverAuthMode="anon" makes having Certicate Authority store irrelevant for this connection, that is why this is only a warning. You will connect to that server regardless if the server provides a valid certificate or not.

As you made a statement

curious why, unlike HTTPS, I had to add the certificate to my client

I would like to clarify that your Browser has a CA store already set and AuthMode="anon" is nothing else like clicking "proceed anyway" on Browser's Warning "This is a fake bank site, don't go there".

See also rsyslog documentation on this, here:

this mode is vulnerable to man in the middle attacks as well as unauthorized access. It is recommended NOT to use this mode. A certificate/key does not need to be configured in this authmode

Per your comment, I am answering generally, since we can't discuss specific details from the actual install.

When a Linux-based program such as rsyslog uses TLS, the program is typically built with (linked to) a standard TLS library such as OpenSSL or GnuTLS. These libraries access a certificate store (a file, directory of files, or a database), locate appropriate certificates in the store, build a certificate chain and perform the verification of the server certificate (with help from underlying cryptographic and other libraries).

A statement such as DefaultNetstreamDriverCAFile="/etc/ssl/cert.pem" is passing the path of the desired certificate store (file) to that TLS library (a system can have multiple certificate stores). So when you don't have that line commented out, rsyslog is telling the TLS library to use that text file, containing one or more PEM-formatted certificates.

If you comment out that line, then what happens depends on the underlying TLS library. If the library was built with a default certificate store, then the library can still perform the TLS negotiation. For example, on my Ubuntu 20 box, a program that uses the GnuTLS library would be linked to /usr/lib/x86_68-linux-gnu/libgnutls.so. That shared object library file was compiled with a default certificate store path of /etc/ssl/certs/ca-certificates.crt -- a text file certificate store which is a standard location for an Ubuntu operating system. You can see this hard-coded path if you run the command:

strings /usr/lib/x86_68-linux-gnu/libgnutls.so | grep certificates.

So if I were to run rsyslog linked to GnuTLS with the same commented-out DefaultNetstreamDriverCAFile line, the hard-coded path to the certificate store would be used, and rsyslog could complete TLS negotiations.

This is likely what happened on your system, and why the message you saw was only of level "warning". The rsyslog program does not know whether the underlying TLS library has a default, so rsyslog was written to warn you and proceed. If no certificate store is available to the underlying TLS library, then that code will return a fatal error message to rsyslog, and rsyslog will relay/log the message to the user.