Getting Data In

How to troubleshoot "SSL Validation Failed for <VPC S3 Private Endpoint>" in Splunk AWS Add-on?

adnankhan5133
Communicator

While configuring an S3 input in the Splunk Add-on for AWS, I received an error message stating that "SSL Validation failed" because the VPC S3 Endpoint did not match a series of S3 bucket endpoint names (e.g. s3.us-east-1.amazonaws.com).

As part of the Splunk AWS Add-on naming convention for private endpoints, the Private Endpoint URL for the S3 bucket must be https://vpce-<endpoint_id>-<unique_id>.s3.<region>.vpce.amazonaws.com

After creating the endpoints, we're running into the SSL Validation errors. Any idea what could be causing this?

Labels (1)
Tags (3)
0 Karma

ChristophR
Explorer

Bit of an old post but I had this exact error, spent way too long troubleshooting it, and was saddened when this post didnt have an accepted solution.

The problem is, the s3 vpc endpoint you are using DOES NOT match the supported format Splunk expects.  Then, when it tries to do hostname validation (s3 VPC endpoint) against the expected format, it fails and throws this ugly error.

you said:

"As part of the Splunk AWS Add-on naming convention for private endpoints, the Private Endpoint URL for the S3 bucket must be https://vpce-<endpoint_id>-<unique_id>.s3.<region>.vpce.amazonaws.com"

This isnt true, as the docs explain.  You actually need to use:

ChristophR_0-1697186018330.png

Thus, the format for S3 is actually https://bucket.vpce-<endpoint_id>-<unique_id>.s3.<region>.vpce.amazonaws.com.  I didnt read the documentation closely enough and wasted a lot of time.. so I hope this helps someone.

 

PickleRick
SplunkTrust
SplunkTrust

Do a openssl s_client -connect to your s3 endpoint host with -showcerts and see what's wrong with the cert ans certification path if anything.

0 Karma

adnankhan5133
Communicator

Thanks - we didn't see any errors in the output after running the OpenSSL command. The output showed that we were able to connect without issues, but we're still seeing the VPC Endpoint error within the Splunk HF console.  

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I've never used this add-on but since you're talking about HF, I assume it contains some modular input connecting to this S3 endpoint, right?

Check for bundled-in CA certificates trusted by the input. Maybe there's a difference - your system-wide openssl has other trusted CA database and the input uses another one.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...