We are adding zscaler proxy to be used by Splunk TA o365. Our security group is providing a Root CA 4 pem file for us to use.
Our Splunk environment runs on RHEL and our enterprise is Splunk v8.2.1. The splunk user (configured .bashrc) has http and https proxy environment variables set to the correct entries. In addition, we have this variable defined:
When splunk starts up we see this error and it fails to retrieve any events from the remote site. Error is:
requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /url-path-made-up/oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
2022-01-13 15:36:41,891 level=INFO pid=25373 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."
Talking to our security team they are wondering where the o365 TA is looking for certificates. Any help to get us past this error? Also, reading some older Answers it appear SSL Verification is turned off by default.
This is very important to us because we have more Splunk TAs that will need to talk to zscaler proxy.