Is your documentation request related to a feature? If so, which one?

Hi,

while setting up Mimir with TLS I ran into this error:

Feb 14 11:52:37 localhost mimir[2741]: ts=2025-02-14T11:52:37.052802177Z caller=frontend_processor.go:84 level=error msg="error contacting frontend" address=127.0.0.1:9094 err="rpc error: code = Unavailable desc = connection error: desc = \"error reading server preface: remote error: tls: bad certificate\""

The key and certificate were valid and not expired. However I noticed that my certificate only had "Server Auth" in its EKU:

openssl x509 -inform pem -noout -text -in mimir.pem | grep -A 2 "Extended Key Usage"
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical

After creating a new certificate with both "Server Auth" and "Client Auth" in the EKU, everything works as expected.

What is the solution that you would like or the expected outcome?

Would be helpful if the docs at Securing Grafana Mimir communications with TLS mention the requirements for the EKU

What did you think would happen?

What was your environment?

mimir --version
Mimir, version 2.15.0 (branch: release-2.15, revision: fbb9cd87a6)
  go version:       go1.23.2

Any additional context to share?

No response