https://community.splunk.com/t5/Security/Splunk-Connect-for-k8S-HTTPS-problem/m-p/582379#M15854 <P>Hello,</P><P>I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.</P><P>I have problems when configuring https connection to HEC.</P><P>On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.</P><P>Then, on Splunk Connect for Kubernetes Helm, if I configure https :</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> splunk: hec: # host is required and should be provided by user host: hostname.domain.com # token is required and should be provided by user token: MY-HEC-TOKEN # protocol has two options: "http" and "https", default is "https" # For self signed certificate leave this field blank protocol: https</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When deploying, I see the following logs on Heavy Forwarder :&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">01-25-2022 09:37:16.729 +0100 WARN SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'. 01-25-2022 09:37:16.729 +0100 WARN HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I have to configure <STRONG>insecureSSL: true</STRONG> to get the connection working and see logs on Indexer.</P><P>But, If I activate HTTPS connection, I do not want it to be insecure ^^.</P><P>&nbsp;</P><P>I am a bit confused about Splunk Connect 4 Kubernetes configuration.</P><P>Can I use :&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">splunk: # Configurations for HEC (HTTP Event Collector) hec: # The PEM-format CA certificate file. # NOTE: The content of the file itself should be used here, not the file path. # The file will be stored as a secret in kubernetes. caFile:</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>To configure ma Company CA ?</P><P>&nbsp;</P><P>Or are keys&nbsp;<SPAN class="">clientCert, clientKey and CaFile only used for mTLS configuration ?</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thank you in advance for your answers.</SPAN></P><P><SPAN class="">Regards.</SPAN></P><P><SPAN class="">Nicolas.</SPAN></P><P>&nbsp;</P> Tue, 25 Jan 2022 08:59:47 GMT npe 2022-01-25T08:59:47Z https://community.splunk.com/t5/Security/Splunk-Connect-for-k8S-HTTPS-problem/m-p/582379#M15854 <P>Hello,</P><P>I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.</P><P>I have problems when configuring https connection to HEC.</P><P>On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.</P><P>Then, on Splunk Connect for Kubernetes Helm, if I configure https :</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> splunk: hec: # host is required and should be provided by user host: hostname.domain.com # token is required and should be provided by user token: MY-HEC-TOKEN # protocol has two options: "http" and "https", default is "https" # For self signed certificate leave this field blank protocol: https</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When deploying, I see the following logs on Heavy Forwarder :&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">01-25-2022 09:37:16.729 +0100 WARN SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'. 01-25-2022 09:37:16.729 +0100 WARN HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I have to configure <STRONG>insecureSSL: true</STRONG> to get the connection working and see logs on Indexer.</P><P>But, If I activate HTTPS connection, I do not want it to be insecure ^^.</P><P>&nbsp;</P><P>I am a bit confused about Splunk Connect 4 Kubernetes configuration.</P><P>Can I use :&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">splunk: # Configurations for HEC (HTTP Event Collector) hec: # The PEM-format CA certificate file. # NOTE: The content of the file itself should be used here, not the file path. # The file will be stored as a secret in kubernetes. caFile:</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>To configure ma Company CA ?</P><P>&nbsp;</P><P>Or are keys&nbsp;<SPAN class="">clientCert, clientKey and CaFile only used for mTLS configuration ?</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thank you in advance for your answers.</SPAN></P><P><SPAN class="">Regards.</SPAN></P><P><SPAN class="">Nicolas.</SPAN></P><P>&nbsp;</P> Tue, 25 Jan 2022 08:59:47 GMT https://community.splunk.com/t5/Security/Splunk-Connect-for-k8S-HTTPS-problem/m-p/582379#M15854 npe 2022-01-25T08:59:47Z