- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure SSL/TLS for forwarding
I tried to configure SSL/TSL connection between Forwarder and Indexer.
On forwarder /opt/splunkforwarder/etc/system/local/output.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = my.domain.com:9998
disabled = 0
clientCert = /opt/splunk/etc/auth/mycerts/client.pem
useClientSSLCompression = true
[tcpout-server://my.domain.com:9998]
Certificate has been created by Certbot and prepared according to the instructions. Works well for Splunk Web and I believe it works here too.
On indexer /opt/splunk/etc/system/local/inputs.conf
[splunktcp-ssl:9998]
disabled=0
[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/test_full.pem
test_full.pem - prepared certificate from Certbot.
If I use forwarder without certificates everything works fine so there is no connection errors.
Output of splunk list forward-server
Configured but inactive forwards:
my.domain.com:9998
From /var/log/splunk/splunkd.log I can see the following error:
05-22-2024 11:51:03.823 +0000 ERROR TcpOutputFd [29087 TcpOutEloop] - Read error. Connection reset by peer
05-22-2024 11:51:03.823 +0000 WARN AutoLoadBalancedConnectionStrategy [29087 TcpOutEloop] - Applying quarantine to ip=99.99.99.99 port=9998 connid=2 _numberOfFailures=2
Could you please help me debug the problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @Haleb,
did you followed all the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcert.... ?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @gcusello
Yes, i did
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello
As i can see some of them are optional
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @Haleb,
not all of them, e.g. password that must be the same both on Indexers and on Forwarders.
Follow the configuration in the url.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can clearify about what password are you talking about? Link that you send to me have only sslPassword field that should be used only if i use password for my certificate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to create a new certificate with password and still have the same error as previous:
Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
![](/skins/images/53C7C94B4DD15F7CACC6D77B9B4D55BF/responsive_peak/images/icon_anonymous_message.png)