topic Custom SSL Cert Issues in Security https://community.splunk.com/t5/Security/Custom-SSL-Cert-Issues/m-p/323630#M8342 <P>Hey splunk team,</P> <P>I need a bit (okay a lot of help). I'm not sure what I'm doing wrong, but I'm following these guides to create my own self-signed ssl certificate:</P> <P><A href="http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA">http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates">http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates</A></P> <P>However after looking at my logs, my forwarder shows the following:</P> <PRE><CODE>02-27-2018 00:45:19.808 -0800 INFO TcpOutputProc - Removing quarantine from idx=192.168.0.43:9997 02-27-2018 00:45:19.808 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused 02-27-2018 00:45:19.808 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed 02-27-2018 00:45:19.809 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused 02-27-2018 00:45:19.809 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed 02-27-2018 00:45:19.809 -0800 WARN TcpOutputProc - Applying quarantine to ip=192.168.0.43 port=9997 _numberOfFailures=2 </CODE></PRE> <P>At this point I'm not sure what I'm doing wrong. If it helps, my forwarders outputs.conf looks like this:</P> <PRE><CODE>[tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.0.43:9997 compressed = true sslRootCAPath = /opt/splunkforwarder/etc/certs/myCACertificate.pem sslCertPath = /opt/splunkforwarder/etc/certs/myServerCertificate.pem sslPassword = $xxxxxxxxxxxxx= sslVerifyServerCert = true </CODE></PRE> <P>My indexer's input.conf looks like this:</P> <PRE><CODE>[default] host = splunk [SSL] rootCA = /opt/splunk/etc/certs/myCACertificate.pem serverCert = /opt/splunk/etc/certs/myServerCertificate.pem password = $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx #password = $xxxxxxxxxxxxxx requireClientCert = false [splunktcp-ssl:9997] compressed = true disabled = 0 </CODE></PRE> <P>And i've added this line to my indexer's server.conf. This was based on the default configuration for ssl certificates on the indxer, plus the guide to using self signed certs:</P> <PRE><CODE>sslRootCAPatch = /opt/splunk/etc/system/local/certs/myCACertificate.pem </CODE></PRE> <P>Any help or advice is appreciated.</P> Tue, 27 Feb 2018 08:55:42 GMT TitanAE 2018-02-27T08:55:42Z Custom SSL Cert Issues https://community.splunk.com/t5/Security/Custom-SSL-Cert-Issues/m-p/323630#M8342 <P>Hey splunk team,</P> <P>I need a bit (okay a lot of help). I'm not sure what I'm doing wrong, but I'm following these guides to create my own self-signed ssl certificate:</P> <P><A href="http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA">http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates">http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates</A></P> <P>However after looking at my logs, my forwarder shows the following:</P> <PRE><CODE>02-27-2018 00:45:19.808 -0800 INFO TcpOutputProc - Removing quarantine from idx=192.168.0.43:9997 02-27-2018 00:45:19.808 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused 02-27-2018 00:45:19.808 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed 02-27-2018 00:45:19.809 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused 02-27-2018 00:45:19.809 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed 02-27-2018 00:45:19.809 -0800 WARN TcpOutputProc - Applying quarantine to ip=192.168.0.43 port=9997 _numberOfFailures=2 </CODE></PRE> <P>At this point I'm not sure what I'm doing wrong. If it helps, my forwarders outputs.conf looks like this:</P> <PRE><CODE>[tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.0.43:9997 compressed = true sslRootCAPath = /opt/splunkforwarder/etc/certs/myCACertificate.pem sslCertPath = /opt/splunkforwarder/etc/certs/myServerCertificate.pem sslPassword = $xxxxxxxxxxxxx= sslVerifyServerCert = true </CODE></PRE> <P>My indexer's input.conf looks like this:</P> <PRE><CODE>[default] host = splunk [SSL] rootCA = /opt/splunk/etc/certs/myCACertificate.pem serverCert = /opt/splunk/etc/certs/myServerCertificate.pem password = $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx #password = $xxxxxxxxxxxxxx requireClientCert = false [splunktcp-ssl:9997] compressed = true disabled = 0 </CODE></PRE> <P>And i've added this line to my indexer's server.conf. This was based on the default configuration for ssl certificates on the indxer, plus the guide to using self signed certs:</P> <PRE><CODE>sslRootCAPatch = /opt/splunk/etc/system/local/certs/myCACertificate.pem </CODE></PRE> <P>Any help or advice is appreciated.</P> Tue, 27 Feb 2018 08:55:42 GMT https://community.splunk.com/t5/Security/Custom-SSL-Cert-Issues/m-p/323630#M8342 TitanAE 2018-02-27T08:55:42Z