Solved: HTTP Event Collector: How do I resolve error "x509...

dzlabs · ‎01-14-2016

I'm trying to submit logs to the HTTP Event Collector from a go application. I've correctly setup the Event Collector (I can successfully curl it), however I see the following error when I submit a POST:

2016/01/14 16:37:03 utils.go:75 utils.splunkit ERROR Post https://xx.xx.xxx.xx:9000/services/collector/event: x509: cannot validate certificate for xx.xx.xxx.xx because it doesn't contain any IP SANs

Here is a code snippet of how I am posting to Splunk:

func splunkit(host string, port int, token string, data []byte) {
    body := bytes.NewReader(data)
    url := fmt.Sprintf("https://%s:%d/services/collector/event", host, port)
    client := &http.Client{}
    req, err := http.NewRequest("POST", url, body)
    req.Header.Add("Authorization", "Splunk "+token)
    resp, err := client.Do(req)
    if err == nil {
        log.Info(resp)
    } else {
        log.Error(err)
    }
}

How I can use a certificate on the client side in order to successfully submit logs to Splunk directly from my app??

Jeremiah · ‎01-26-2016

What is the value of your host variable? Is it an IP address? The error is complaining that the certificate on your HTTP event collector was not signed with an IP address in the subject or in the list of subject alternative names. You should set host to the value that matches the certificate; either the subject CN or one of the subject alternative name values. Run this command to see the subject value of your certificate:

echo - | openssl s_client -connect your-host:9000 | openssl x509 -subject -noout|more

If you would like to see the subject alternative names, print out the entire certificate:

echo - | openssl s_client -connect your-host:9000 | openssl x509 -text -noout|more

If you didn't customize the cert, then you probably just have a default self-signed certificate. You can use these instructions to load the certificate onto your client:

http://pro-tips-dot-com.tumblr.com/post/65472594329/golang-establish-secure-http-connections-with

View solution in original post

Jeremiah · ‎01-26-2016

What is the value of your host variable? Is it an IP address? The error is complaining that the certificate on your HTTP event collector was not signed with an IP address in the subject or in the list of subject alternative names. You should set host to the value that matches the certificate; either the subject CN or one of the subject alternative name values. Run this command to see the subject value of your certificate:

echo - | openssl s_client -connect your-host:9000 | openssl x509 -subject -noout|more

If you would like to see the subject alternative names, print out the entire certificate:

echo - | openssl s_client -connect your-host:9000 | openssl x509 -text -noout|more

If you didn't customize the cert, then you probably just have a default self-signed certificate. You can use these instructions to load the certificate onto your client:

http://pro-tips-dot-com.tumblr.com/post/65472594329/golang-establish-secure-http-connections-with

dzlabs · ‎01-28-2016

the host variable is an IP address, thanks for hint.

ppablo · ‎01-28-2016

Hi @dzlabs

Glad you got the hint you needed to fix your issue here on Answers 🙂 Please don't forget to resolve your posts by clicking "Accept" directly below @Jeremiah's answer. This will make it easier for other users with the same question find the solution. Thanks!

HTTP Event Collector: How do I resolve error "x509: cannot validate certificate because it doesn't contain any IP SANs"

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...