Security

SSL Error on configuring Splunk forwarding using own certificates

chintu_jain
Explorer

I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.

On Indexer (inputs.conf)

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem
sslPassword = <ssl password>
requireClientCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

On forwarder(outputs.conf)

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = localhost:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem
useClientSSLCompression = true
sslPassword = <ssl password>
sslVerifyServerCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

Need help in setting it up as it is failing with the following errors in splunkd.log

In Indexer

05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.
05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

In Forwarder

05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=xxx@xx.com,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"
05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2

0 Karma

eswara9
Engager
sslVerifyServerCert = true 

I have added this setting in [sslConfig]
after that portal was not loading then removed 
it started working.

0 Karma

martynoconnor
Communicator

You have this set to true:

sslVerifyServerCert = true

Which means that Splunk will try and verify that the certs in Splunk are actually valid. However the CA is not, so Splunk is unable to verify the authenticity of the cert and will therefore refuse connections. Change this to false and you'll restore communications. Better yet, use self signed certs and a CA that the instances can actually communicate with.

vik_splunk
Communicator

Was this resolved?

We are encountering the same issue as well.

0 Karma

spluzer
Communicator

Any updates to this?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...