topic Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"? in Getting Data In

Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

samhodgson — Tue, 29 Sep 2020 14:46:14 GMT

Hi,

I just followed the answer in the below post to configure SSL between my UF and the indexer:

answers.splunk.com/answers/211383/why-am-i-getting-errors-with-my-ssl-configuration.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Im seeing the following error in the splunkd.log when i restart splunkd:

07-06-2017 16:08:22.151 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"
07-06-2017 16:08:22.151 +0100 WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
07-06-2017 16:08:22.151 +0100 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:9778 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
07-06-2017 16:08:22.193 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"

Any pointers on this would be great, i've tried using signed certs and was seeing the same error.

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

cmaier — Tue, 29 Sep 2020 14:54:02 GMT

Your post popped up when I was looking for a solution to my "self signed certificate in certificate chain" error. In my case, it was because my inputs.conf file on the indexer was missing (this is Windows, obviously):
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

I was still indexing OK from the forwarders, it was just throwing that warning.

Maybe post your inputs.conf [SSL] stanza contents (without any passwords) to give readers some hints.

This is what a functioning version looks like on one of our test indexers:

[SSL]
sslPassword =
requireClientCert = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME\etc\auth\server.pem
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

samhodgson — Thu, 13 Jul 2017 07:58:02 GMT

Many thanks for posting your solution, I did eventually resolve this actually - i should have posted the fix. I used btool to list all of the current parameter values in use and there was a parameter called something like caserver that I hadnt set and it was still pointing to the default cert.

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

splunk_kk — Thu, 29 Mar 2018 09:23:58 GMT

Hello,

I'm facing exactly the same issue. I'm using commercial certs.

I don't see anything pointing to default certs in my case. Can you tell me what was the exact issue in your case and which file/parameter it was pointing to?

my outputs.conf looks good as well.

Awaiting your reply.

Thanks a ton

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

samhodgson — Tue, 29 Sep 2020 18:51:06 GMT

Morning,

I had a path that was pointing to the default splunk seif signed cert in one of my config files. Try using btool to check your effective parameters on the config files used for SSL. For example:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug

If your using linux you can grep for things like pem or ssl. For further info see:

http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Usebtooltotroubleshootconfigurations

Also, restart splunk and watch the splunkd.log for any ssl related errors when its coming back up.

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

reswob4 — Wed, 07 Aug 2019 12:56:11 GMT

Thanks. This solution worked for me as well....

Re: Why is SSL on Universal Forwarder failing with error "WARN SSLCommon - Received fatal SSL3 alert"?

zzhao05 — Thu, 13 Feb 2020 02:33:28 GMT

Hi Sam,
I'm facing the exactly same issue. I ran the btool command but I don't see any key word like SSL or pem.. Do you still recall what specific config files that was still pointing to the default splunk self signed cert in your case?

Zhang