Hello,
Can anyone help me in getting this error resolved ?
2024-08-09 10:50:00,282 DEBUG pid=8956 tid=MainThread file=connectionpool.py:_new_conn:1007 | Starting new HTTPS connection (5): cisco-managed-ap-northeast-2.s3.ap-northeast-2.amazonaws.com:443
2024-08-09 10:50:00,312 DEBUG pid=8956 tid=MainThread file=endpoint.py:_do_get_response:205 | Exception received when sending HTTP request.
Traceback (most recent call last):
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 710, in urlopen
chunked=chunked,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connection.py", line 429, in connect
tls_in_tls=tls_in_tls,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
sock, context, tls_in_tls, server_hostname=server_hostname
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)
Can you try to add SSL CA Chain to below location and see if it works?
1) /opt/splunk/lib/python3.7/site-packages/certifi
And
2) /etc/apps/<Add-on_folder>/lib/certify
This indicates that the SSL certificate is either missing from the certificate store or has expired in the add-on. Additionally, if the server is configured to use a self-signed or third-party certificate, it may not be included in the certificate store used by the add-on.
Hello,
Thank you for the response
I had taken captues, there's only 2 lines followed by an ACK and a FIN, ACK:
TLSv1.2 Client Hello
TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
TCP [ACK]
TCP [FIN, ACK]
I understood the issue is with Client certificate. Can you kindly help me answer the below:
Where do I find the certificates that is used by TA-cisco-cloud-security-umbrella-addon in Splunk ? What is the path/location of the certificate store used by the TA-cisco-cloud-security-umbrella-addon ?
No. It's not about the client certificate. I understand that the FIN/ACK packet comes from your end of the connection. And the message clearly indicates that it's the server's certificate which is not trusted.
I asked about on-prev vs. cloud earlier because the additional question with an on-prem installation is whether you are using any TLS-inspection tools in your network. Either as an explicit proxy or as pass-through appliance. Anyway, first thing I'd try would be to simply openssl s_client to that Cisco service and make sure what the cert looks like before you start looking for local trusted cert store.
Are you trying to set it up in Cloud or on-prem? (the section of Answers where you posted it suggests Cloud but it's better to be sure).
On-prem