Security

SSL Error on configuring Splunk forwarding using own certificates

chintu_jain
Explorer

I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.

On Indexer (inputs.conf)

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem
sslPassword = <ssl password>
requireClientCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

On forwarder(outputs.conf)

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = localhost:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem
useClientSSLCompression = true
sslPassword = <ssl password>
sslVerifyServerCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

Need help in setting it up as it is failing with the following errors in splunkd.log

In Indexer

05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.
05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

In Forwarder

05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=xxx@xx.com,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"
05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2

0 Karma

eswara9
Engager
sslVerifyServerCert = true 

I have added this setting in [sslConfig]
after that portal was not loading then removed 
it started working.

0 Karma

martynoconnor
Communicator

You have this set to true:

sslVerifyServerCert = true

Which means that Splunk will try and verify that the certs in Splunk are actually valid. However the CA is not, so Splunk is unable to verify the authenticity of the cert and will therefore refuse connections. Change this to false and you'll restore communications. Better yet, use self signed certs and a CA that the instances can actually communicate with.

vik_splunk
Communicator

Was this resolved?

We are encountering the same issue as well.

0 Karma

spluzer
Communicator

Any updates to this?

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...