Hello,

I have a Splunk forwarder forwarding logs to a Splunk Server, and the SplunkServer is using a LetsEncrypt CA cert. I have tried a couple of directives but they dont see to work.

Here are my configs:

outputs.conf
[tcpout] 
useACK = true 
indexAndForward = false 
defaultGroup = splunkssl 
forwardedindex.0.whitelist = modsec 

[tcpout:splunkssl] 
compressed = true 
server = splunkserver.ip.com:9998 
clientCert = /opt/splunkforwarder/etc/certs/client.pem 

[tcpout-server://splunkserver.ip.com:9998] 
#sslRootCAPath = /opt/splunkforwarder/etc/certs/cacert.pem 
sslRootCAPath = /opt/splunkforwarder/etc/certs/letsencryptca.pem sslVerifyServerCert = true 
sslCommonNameToCheck = splunkserver-alias.ip.com

I found my issue here in the forums, but the response was to disable sslVerifyServerCert.. which I can not do.

Here is the error I get:

05-30-2023 16:19:21.265 -0700 ERROR TcpOutputFd - Connection to host=splunkserver.ip.com:9998 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.