Hi,
I just followed the answer in the below post to configure SSL between my UF and the indexer:
answers.splunk.com/answers/211383/why-am-i-getting-errors-with-my-ssl-configuration.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Im seeing the following error in the splunkd.log when i restart splunkd:
07-06-2017 16:08:22.151 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"
07-06-2017 16:08:22.151 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
07-06-2017 16:08:22.151 +0100 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:9778 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
07-06-2017 16:08:22.193 +0100 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkCA,O=SplunkInc,L=SanFrancisco,ST=CA,C=US) failed validation; error=19, reason="self signed certificate in certificate chain"
Any pointers on this would be great, i've tried using signed certs and was seeing the same error.
Your post popped up when I was looking for a solution to my "self signed certificate in certificate chain" error. In my case, it was because my inputs.conf file on the indexer was missing (this is Windows, obviously):
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
I was still indexing OK from the forwarders, it was just throwing that warning.
Maybe post your inputs.conf [SSL] stanza contents (without any passwords) to give readers some hints.
This is what a functioning version looks like on one of our test indexers:
[SSL]
sslPassword =
requireClientCert = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME\etc\auth\server.pem
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
Your post popped up when I was looking for a solution to my "self signed certificate in certificate chain" error. In my case, it was because my inputs.conf file on the indexer was missing (this is Windows, obviously):
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
I was still indexing OK from the forwarders, it was just throwing that warning.
Maybe post your inputs.conf [SSL] stanza contents (without any passwords) to give readers some hints.
This is what a functioning version looks like on one of our test indexers:
[SSL]
sslPassword =
requireClientCert = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME\etc\auth\server.pem
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
Thanks. This solution worked for me as well....
Many thanks for posting your solution, I did eventually resolve this actually - i should have posted the fix. I used btool to list all of the current parameter values in use and there was a parameter called something like caserver that I hadnt set and it was still pointing to the default cert.
Hello,
I'm facing exactly the same issue. I'm using commercial certs.
I don't see anything pointing to default certs in my case. Can you tell me what was the exact issue in your case and which file/parameter it was pointing to?
my outputs.conf looks good as well.
Awaiting your reply.
Thanks a ton
Morning,
I had a path that was pointing to the default splunk seif signed cert in one of my config files. Try using btool to check your effective parameters on the config files used for SSL. For example:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug
If your using linux you can grep for things like pem or ssl. For further info see:
Also, restart splunk and watch the splunkd.log for any ssl related errors when its coming back up.
Hi Sam,
I'm facing the exactly same issue. I ran the btool command but I don't see any key word like SSL or pem.. Do you still recall what specific config files that was still pointing to the default splunk self signed cert in your case?
Zhang