Security
Highlighted

SSL Error on configuring Splunk forwarding using own certificates

Explorer

I am trying to setup Splunk forwarding using own certificates. Following is the configuration made.

On Indexer (inputs.conf)

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\splunksslcerts\server.pem
sslPassword = <ssl password>
requireClientCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

On forwarder(outputs.conf)

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = localhost:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\SSL\certs\server.pem
useClientSSLCompression = true
sslPassword = <ssl password>
sslVerifyServerCert = true
sslCommonNameToCheck = <xxxx.xxxx.xx.com>

Need help in setting it up as it is failing with the following errors in splunkd.log

In Indexer

05-08-2018 14:46:25.024 +0100 WARN SSLCommon - Received fatal SSL3 alert. sslstate='SSLv3 read client certificate A', alertdescription='unknown CA'.
05-08-2018 14:46:25.024 +0100 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:53800. error:14094418:SSL routines:ssl3readbytes:tlsv1 alert unknown ca - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

In Forwarder

05-08-2018 14:53:53.104 +0100 ERROR X509Verify - X509 certificate (emailAddress=xxx@xx.com,CN=xxxx.xxxx.xx.com,O=xx,L=xx,ST=xx,C=xx) failed validation; error=20, reason="unable to get local issuer certificate"
05-08-2018 14:53:53.104 +0100 WARN SSLCommon - Received fatal SSL3 alert. sslstate='SSLv3 read server certificate B', alertdescription='unknown CA'.
05-08-2018 14:53:53.104 +0100 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed. sockerror = 0. SSL Error = error:14090086:SSL routines:ssl3getservercertificate:certificate verify failed - please check the output of the openssl verify command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-08-2018 14:53:53.105 +0100 WARN TcpOutputProc - Applying quarantine to ip=127.0.0.1 port=9997 _numberOfFailures=2

0 Karma
Highlighted

Re: SSL Error on configuring Splunk forwarding using own certificates

Communicator

Was this resolved?

We are encountering the same issue as well.

0 Karma
Highlighted

Re: SSL Error on configuring Splunk forwarding using own certificates

Communicator

You have this set to true:

sslVerifyServerCert = true

Which means that Splunk will try and verify that the certs in Splunk are actually valid. However the CA is not, so Splunk is unable to verify the authenticity of the cert and will therefore refuse connections. Change this to false and you'll restore communications. Better yet, use self signed certs and a CA that the instances can actually communicate with.

0 Karma