https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376976#M9296 <P>I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.</P> <P>On Indexer (inputs.conf)</P> <PRE><CODE>[splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem sslPassword = &lt;ssl password&gt; requireClientCert = true sslCommonNameToCheck = &lt;xxxx.xxxx.xx.com&gt; </CODE></PRE> <P>On forwarder(outputs.conf)</P> <PRE><CODE>[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = localhost:9997 clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem useClientSSLCompression = true sslPassword = &lt;ssl password&gt; sslVerifyServerCert = true sslCommonNameToCheck = &lt;xxxx.xxxx.xx.com&gt; </CODE></PRE> <P>Need help in setting it up as it is failing with the following errors in splunkd.log</P> <P>In Indexer</P> <P>05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.<BR /> 05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the <CODE>openssl verify</CODE> command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.</P> <P>In Forwarder</P> <P>05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=<A href="mailto:xxx@xx.com" target="_blank">xxx@xx.com</A>,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"<BR /> 05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.<BR /> 05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the <CODE>openssl verify</CODE> command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.<BR /> 05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2</P> Tue, 29 Sep 2020 19:22:47 GMT chintu_jain 2020-09-29T19:22:47Z https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376976#M9296 <P>I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.</P> <P>On Indexer (inputs.conf)</P> <PRE><CODE>[splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem sslPassword = &lt;ssl password&gt; requireClientCert = true sslCommonNameToCheck = &lt;xxxx.xxxx.xx.com&gt; </CODE></PRE> <P>On forwarder(outputs.conf)</P> <PRE><CODE>[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = localhost:9997 clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem useClientSSLCompression = true sslPassword = &lt;ssl password&gt; sslVerifyServerCert = true sslCommonNameToCheck = &lt;xxxx.xxxx.xx.com&gt; </CODE></PRE> <P>Need help in setting it up as it is failing with the following errors in splunkd.log</P> <P>In Indexer</P> <P>05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.<BR /> 05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the <CODE>openssl verify</CODE> command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.</P> <P>In Forwarder</P> <P>05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=<A href="mailto:xxx@xx.com" target="_blank">xxx@xx.com</A>,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"<BR /> 05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.<BR /> 05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the <CODE>openssl verify</CODE> command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.<BR /> 05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2</P> Tue, 29 Sep 2020 19:22:47 GMT https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376976#M9296 chintu_jain 2020-09-29T19:22:47Z https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376977#M9297 <P>Was this resolved?</P> <P>We are encountering the same issue as well.</P> Sat, 08 Jun 2019 07:59:55 GMT https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376977#M9297 vik_splunk 2019-06-08T07:59:55Z https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376978#M9298 <P>You have this set to true:</P> <PRE><CODE>sslVerifyServerCert = true </CODE></PRE> <P>Which means that Splunk will try and verify that the certs in Splunk are actually valid. However the CA is not, so Splunk is unable to verify the authenticity of the cert and will therefore refuse connections. Change this to false and you'll restore communications. Better yet, use self signed certs and a CA that the instances can actually communicate with.</P> Sat, 08 Jun 2019 20:36:41 GMT https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/376978#M9298 martynoconnor 2019-06-08T20:36:41Z https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/526229#M11914 <P>Any updates to this?</P> Fri, 23 Oct 2020 13:30:45 GMT https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/526229#M11914 spluzer 2020-10-23T13:30:45Z https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/643884#M16974 <PRE>sslVerifyServerCert = true </PRE><P>I have added this setting in&nbsp;[sslConfig]<BR />after that portal was not loading then removed&nbsp;<BR />it started working.</P> Fri, 19 May 2023 10:50:34 GMT https://community.splunk.com/t5/Security/SSL-Error-on-configuring-Splunk-forwarding-using-own/m-p/643884#M16974 eswara9 2023-05-19T10:50:34Z