I am trying to connect Splunk Forwarder 6.3.3 to Indexer 6.6.3. I am getting the below error while using ssl:
ERROR TcpOutputFd - Connection to host=xx.x.xxx.xxx:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 01-02-2019 02:19:35.424 -0600 ERROR TcpOutputFd - Connection to host=xx.x.xxx.xxx:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
The outputs.conf file on forwarder is:
[tcpout:x_Indexers] disabled = false server = abc:9997 autoLB = true compressed = false sslpassword = abcd sslRootCAPath = abc/abc.crt sslCertPath = abc/abc.pem
The inputs.conf file on Indexer is:
[splunktcp-ssl://9997] connection_host = abc [SSL] compressed = false password = abcd requireClientCert = false rootCA = abc/abc.crt serverCert = abc/abc.pem
Not sure what is the issue?
Look like you didn't follow document properly, it will be good to provide absolute path for certificates and on Indexer and Forwarder
sslRootCAPath should be in server.conf
Please go through documentation provided by @p_gurav and you will able to configure it easily.
I have followed the doc. As per the doc, server.conf need to defined in Linux system not in case of windows.
And also the same configuration is working in one system where Forwarder is on Windows and Indexer in Windows.
Issue is persisting in case of using Linux Forwarder and Window Forwarder. And In Linux Forwarder i have already pass the sslRootCAPath in server.conf
On forwarder, in outputs.conf please change
sslPassword = abcd,
P is in capital. Also provide Absolute path for certificate, for example Linux forwarder
On indexer, in inputs.conf
connection_host should be
ip, dns or None
Also can you please confirm are you using same certificate on Indexer and Forwarder?
These setting are already in place.
connection_host is set to ip already. I have just send a snapshot kind of thing.
The same setting is working between Windows forwarder and Window indexer.
Is there any issue with forwarder version?