Getting Data In

Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

samhodgson
Path Finder

Hi,

I just followed the answer in the below post to configure SSL between my UF and the indexer:

answers.splunk.com/answers/211383/why-am-i-getting-errors-with-my-ssl-configuration.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Im seeing the following error in the splunkd.log when i restart splunkd:

07-06-2017 16:08:22.151 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"
07-06-2017 16:08:22.151 +0100 WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
07-06-2017 16:08:22.151 +0100 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:9778 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
07-06-2017 16:08:22.193 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"

Any pointers on this would be great, i've tried using signed certs and was seeing the same error.

1 Solution

cmaier
Explorer

Your post popped up when I was looking for a solution to my "self signed certificate in certificate chain" error. In my case, it was because my inputs.conf file on the indexer was missing (this is Windows, obviously):
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

I was still indexing OK from the forwarders, it was just throwing that warning.

Maybe post your inputs.conf [SSL] stanza contents (without any passwords) to give readers some hints.

This is what a functioning version looks like on one of our test indexers:

[SSL]
sslPassword =
requireClientCert = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME\etc\auth\server.pem
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

View solution in original post

cmaier
Explorer

Your post popped up when I was looking for a solution to my "self signed certificate in certificate chain" error. In my case, it was because my inputs.conf file on the indexer was missing (this is Windows, obviously):
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

I was still indexing OK from the forwarders, it was just throwing that warning.

Maybe post your inputs.conf [SSL] stanza contents (without any passwords) to give readers some hints.

This is what a functioning version looks like on one of our test indexers:

[SSL]
sslPassword =
requireClientCert = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME\etc\auth\server.pem
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

reswob4
Builder

Thanks. This solution worked for me as well....

0 Karma

samhodgson
Path Finder

Many thanks for posting your solution, I did eventually resolve this actually - i should have posted the fix. I used btool to list all of the current parameter values in use and there was a parameter called something like caserver that I hadnt set and it was still pointing to the default cert.

0 Karma

splunk_kk
Path Finder

Hello,

I'm facing exactly the same issue. I'm using commercial certs.

I don't see anything pointing to default certs in my case. Can you tell me what was the exact issue in your case and which file/parameter it was pointing to?

my outputs.conf looks good as well.

Awaiting your reply.

Thanks a ton

0 Karma

samhodgson
Path Finder

Morning,

I had a path that was pointing to the default splunk seif signed cert in one of my config files. Try using btool to check your effective parameters on the config files used for SSL. For example:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug

If your using linux you can grep for things like pem or ssl. For further info see:

http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Usebtooltotroubleshootconfiguratio...

Also, restart splunk and watch the splunkd.log for any ssl related errors when its coming back up.

0 Karma

zzhao05
New Member

Hi Sam,
I'm facing the exactly same issue. I ran the btool command but I don't see any key word like SSL or pem.. Do you still recall what specific config files that was still pointing to the default splunk self signed cert in your case?

Zhang

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...