All Apps and Add-ons

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

clemes
New Member

Hello,

Can anyone help me in getting this error resolved ?

2024-08-09 10:50:00,282 DEBUG pid=8956 tid=MainThread file=connectionpool.py:_new_conn:1007 | Starting new HTTPS connection (5): cisco-managed-ap-northeast-2.s3.ap-northeast-2.amazonaws.com:443
2024-08-09 10:50:00,312 DEBUG pid=8956 tid=MainThread file=endpoint.py:_do_get_response:205 | Exception received when sending HTTP request.
Traceback (most recent call last):
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 710, in urlopen
chunked=chunked,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connection.py", line 429, in connect
tls_in_tls=tls_in_tls,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
sock, context, tls_in_tls, server_hostname=server_hostname
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

Labels (1)
0 Karma

Meett
Splunk Employee
Splunk Employee

Can you try to add SSL CA Chain to below location and see if it works?

 

1) /opt/splunk/lib/python3.7/site-packages/certifi

And

2) /etc/apps/<Add-on_folder>/lib/certify

 

0 Karma

kiran_panchavat
Contributor

This indicates that the SSL certificate is either missing from the certificate store or has expired in the add-on. Additionally, if the server is configured to use a self-signed or third-party certificate, it may not be included in the certificate store used by the add-on.

0 Karma

clemes
New Member

Hello,

Thank you for the response

I had taken captues, there's only 2 lines followed by an ACK and a FIN, ACK:

TLSv1.2 Client Hello
TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
TCP [ACK]
TCP [FIN, ACK]

I understood the issue is with Client certificate. Can you kindly help me answer the below:
Where do I find the certificates that is used by TA-cisco-cloud-security-umbrella-addon in Splunk ? What is the path/location of the certificate store used by the TA-cisco-cloud-security-umbrella-addon ?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. It's not about the client certificate. I understand that the FIN/ACK packet comes from your end of the connection. And the message clearly indicates that it's the server's certificate which is not trusted.

I asked about on-prev vs. cloud earlier because the additional question with an on-prem installation is whether you are using any TLS-inspection tools in your network. Either as an explicit proxy or as pass-through appliance. Anyway, first thing I'd try would be to simply openssl s_client to that Cisco service and make sure what the cert looks like before you start looking for local trusted cert store.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you trying to set it up in Cloud or on-prem? (the section of Answers where you posted it suggests Cloud but it's better to be sure).

0 Karma

clemes
New Member

On-prem

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...