<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Using different certificates for TCP and HEC Input results in 'unknown CA' error in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746739#M118665</link>
    <description>You can have only one sslRootCAPath in your node. Just put all different ca certs into this one file.</description>
    <pubDate>Thu, 22 May 2025 15:22:43 GMT</pubDate>
    <dc:creator>isoutamo</dc:creator>
    <dc:date>2025-05-22T15:22:43Z</dc:date>
    <item>
      <title>Using different certificates for TCP and HEC Input results in 'unknown CA' error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746735#M118664</link>
      <description>&lt;P&gt;I recently started using the HEC with TLS on my standalone testing instance and now I am seeing some behavior that I cannot make sense of.&lt;/P&gt;&lt;P&gt;I assume that it is related to the fact that I configured both, TCP Input and HEC Input to use different certificates.&lt;/P&gt;&lt;P&gt;The HEC Input is working fine, but when a UF tries to connect to the TCP Input, I get this error:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;05-22-2025 07:39:18.469 +0000 ERROR TcpInputProc [2339416 FwdDataReceiverThread] - Error encountered for connection from src=REDACTED:31261. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-22-2025 07:39:18.555 +0000 ERROR X509Verify [2339416 FwdDataReceiverThread] - Client X509 certificate (CN=REDACTED,CN=A,OU=B,DC=C,DC=D,DC=E) failed validation; error=19, reason="self signed certificate in certificate chain"
05-22-2025 07:39:18.555 +0000 WARN  SSLCommon [2339416 FwdDataReceiverThread] - Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'.
05-22-2025 07:39:18.555 +0000 ERROR TcpInputProc [2339416 FwdDataReceiverThread] - Error encountered for connection from src=10.253.192.20:32991. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.&lt;/LI-CODE&gt;&lt;P&gt;On the UF, I can see the following error message:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;05-22-2025 07:39:17.953 +0000 WARN  SSLCommon [1074 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unknown CA'.
05-22-2025 07:39:17.953 +0000 ERROR TcpOutputFd [1074 TcpOutEloop] - Connection to host=REDACTED:9997 failed&lt;/LI-CODE&gt;&lt;P&gt;Below are my config files. I appreciate any pointers as to what&amp;nbsp; I did wrong.&lt;/P&gt;&lt;P&gt;Note: All files which are storing certificates are the "usual" order:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;For clientCert and serverCert&lt;UL&gt;&lt;LI&gt;First certificate, then private key&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;LI&gt;For sslRootCAPath&lt;UL&gt;&lt;LI&gt;First issuing, then Root CA&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Standalone/Indexer:&lt;/P&gt;&lt;P&gt;Server.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/mycerts/cert.pem&lt;/LI-CODE&gt;&lt;P&gt;Inputs.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[splunktcp-ssl:9997]
disabled=0

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/cert0.pem
sslPassword = REDACTED
requireClientCert = true
sslVersions = tls1.2

[http]
disabled = 0
enableSSL = 1
serverCert = /opt/splunk/etc/auth/mycerts/cert1.pem
sslPassword = REDACTED

[http://whatthehec]
disabled = 0
token = REDACTED&lt;/LI-CODE&gt;&lt;P&gt;UF:&lt;/P&gt;&lt;P&gt;server.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[sslConfig]
serverCert = /mnt/certs/cert0.pem
sslPassword = REDACTED
sslRootCAPath = /mnt/certs/cert.pem 
sslVersions = tls1.2 &lt;/LI-CODE&gt;&lt;P&gt;outputs.conf:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]
defaultGroup = def
forwardedindex.2.whitelist = (_audit|_introspection|_internal)

[tcpout:def]
useACK = true
server = server:9997
autoLBFrequency = 180
forceTimebasedAutoLB = false
autoLBVolume = 5000000
maxQueueSize =100MB
connectionTTL = 300
heartbeatFrequency = 350
writeTimeout = 300
sslVersions = tls1.2
clientCert = /mnt/certs/cert0.pem
sslRootCAPath = /mnt/certs/cert.pem
sslPassword = REDACTED
sslVerifyServerCert = true &lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 22 May 2025 14:50:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746735#M118664</guid>
      <dc:creator>zapping575</dc:creator>
      <dc:date>2025-05-22T14:50:04Z</dc:date>
    </item>
    <item>
      <title>Re: Using different certificates for TCP and HEC Input results in 'unknown CA' error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746739#M118665</link>
      <description>You can have only one sslRootCAPath in your node. Just put all different ca certs into this one file.</description>
      <pubDate>Thu, 22 May 2025 15:22:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746739#M118665</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2025-05-22T15:22:43Z</dc:date>
    </item>
    <item>
      <title>Re: Using different certificates for TCP and HEC Input results in 'unknown CA' error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746741#M118667</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241220"&gt;@zapping575&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Nothing particular is jumping out at me, in your outputs.conf for UF, the&amp;nbsp;sslRootCAPath is deprecated and instead would use 'server.conf/[sslConfig]/sslRootCAPath' but you have set this too.&lt;/P&gt;&lt;P&gt;I would try the following:&lt;/P&gt;&lt;P&gt;Check the certs can be read okay:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl x509 -in /path/to/certificate.crt -text -noout&lt;/LI-CODE&gt;&lt;P&gt;Check which CA's the indexer will accept certs from:&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Accepted CAs are displayed under the "&lt;/SPAN&gt;Acceptable client certificate CA names"&lt;SPAN&gt; heading.&lt;/SPAN&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl s_client -connect &amp;lt;indexer_host&amp;gt;:9997 -showcerts -tls1_2&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Try and connect to your indexer from UF using the certs with openssl:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl s_client \
  -connect &amp;lt;indexer_host&amp;gt;:9997 \
  -CAfile /mnt/certs/cert.pem \
  -cert /mnt/certs/cert0.pem \
  -key /mnt/certs/cert0.pem \
  -tls1_2 \
  -state -showcerts&lt;/LI-CODE&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Thu, 22 May 2025 15:35:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746741#M118667</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-05-22T15:35:13Z</dc:date>
    </item>
    <item>
      <title>Re: Using different certificates for TCP and HEC Input results in 'unknown CA' error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746831#M118679</link>
      <description>&lt;P&gt;Thank you for the replies, both of which have been very helpful in resolving this issue.&lt;/P&gt;&lt;P&gt;Cleaning up the sslRootCAPath settings on the UF is already a good thing by itself.&lt;/P&gt;&lt;P&gt;Investigating the TLS negotiation ultimately lead me to realize that on the indexer, etc/system/local/server.conf did not exist.&lt;/P&gt;&lt;P&gt;In the splunk 9.2.5 docker image, the default.yml file did apparently not get processed by ansible. All the other config files (web.conf, authorize.conf) were also nonexistent.&lt;/P&gt;&lt;P&gt;The fact that there was not rootCACert stored on the indexer explains why the log message states "unknown CA"&lt;/P&gt;</description>
      <pubDate>Fri, 23 May 2025 07:58:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-different-certificates-for-TCP-and-HEC-Input-results-in/m-p/746831#M118679</guid>
      <dc:creator>zapping575</dc:creator>
      <dc:date>2025-05-23T07:58:13Z</dc:date>
    </item>
  </channel>
</rss>

