Security

SSL Error on configuring Splunk forwarding using own certificates

chintu_jain
Explorer

I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.

On Indexer (inputs.conf)

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem
sslPassword = <ssl password>
requireClientCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

On forwarder(outputs.conf)

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = localhost:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem
useClientSSLCompression = true
sslPassword = <ssl password>
sslVerifyServerCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

Need help in setting it up as it is failing with the following errors in splunkd.log

In Indexer

05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.
05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

In Forwarder

05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=xxx@xx.com,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"
05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2

0 Karma

eswara9
Engager
sslVerifyServerCert = true 

I have added this setting in [sslConfig]
after that portal was not loading then removed 
it started working.

0 Karma

martynoconnor
Communicator

You have this set to true:

sslVerifyServerCert = true

Which means that Splunk will try and verify that the certs in Splunk are actually valid. However the CA is not, so Splunk is unable to verify the authenticity of the cert and will therefore refuse connections. Change this to false and you'll restore communications. Better yet, use self signed certs and a CA that the instances can actually communicate with.

vik_splunk
Communicator

Was this resolved?

We are encountering the same issue as well.

0 Karma

spluzer
Communicator

Any updates to this?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...