I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.
On Indexer (inputs.conf)
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem
sslPassword = <ssl password>
requireClientCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>
On forwarder(outputs.conf)
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = localhost:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem
useClientSSLCompression = true
sslPassword = <ssl password>
sslVerifyServerCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>
Need help in setting it up as it is failing with the following errors in splunkd.log
In Indexer
05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.
05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
In Forwarder
05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=xxx@xx.com,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"
05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2
... View more