Trying to configure SplunkLightForwarder with SSL for both encryption and mutual authentication, but no connection is made. On the receiver the connection is failing with the error message: ERROR TcpInputProc - Error encountered for connection from host=10.2.3.4, ip=10.2.3.4. error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
On the sender side: sslCertPath=$SPLUNK_HOME/etc/auth/cert/sender.pem sslPassword=password sslRootCAPath=$SPLUNK_HOME/etc/auth/cert/root.crt sslVerifyServerCert=true sslCommonNameToCheck=receiver.example.com
On the receiver side: [splunktcp-ssl://12345] disabled = false [SSL] serverCert=$SPLUNK_HOME/etc/auth/cert/reciever.pem password=password RootCA=$SPLUNK_HOME/etc/auth/cert/root.crt dhfile=$SPLUNK_HOME/etc/auth/cert/dhparams.pem requireClientCert=true
Thoughts anyone???
I would suggest a review of the procedure detailed in this tutorial to set up splunk-2-splunk communication using SSL certificates signed by a 3rd party certificate authority.
The troubleshooting section might help you to pinpoint where the issue with your current configuration is.
No I haven't tried with the Splunk PEMs created during install. These are certs built against our PKI infrastructure here, and check out as valid and correct within our environment.
Does it work if you specify the default splunk cacert.pem and server.pem? If so, this would indicate a problem with your custom root cert and/or server cert.