Can default certificate be used for communication ...

Amogh88 · ‎08-05-2019

I am pretty new to splunk. We are implementing heavy forwarder on EC2 instance which receives the data from UF and forwards to splunk cloud. I am trying to test the data forwarding by configuring default splunk certs on HF inputs.conf and UF outputs.conf . But I am seeing below errors on the HF. Any pointers would be most appreciated.

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'. 

ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:9997 failed. sock_error = 0. SSL Error = error:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

dhihoriya_splun · ‎08-13-2019

Hi @Amogh88

To forward data from HF to Splunk cloud we have to add SSL config in outputs.conf of HF to communicate with splunkcloud instances as like below :

sslCertPath = *********(Path of cert)
sslRootCAPath = ******** (Path of RootCA)
sslPassword = *******

sslCommonNameToCheck = {certname}
sslVerifyServerCert = true
useClientSSLCompression = true

Hope this will help you to resolve your issue.

Can default certificate be used for communication between universal forwarder and heavy forwarder in Splunk cloud?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor