Security

SSL Error while connecting forwarder to Indexer

vishaltaneja070
Motivator

Hello,

I am trying to connect Splunk Forwarder 6.3.3 to Indexer 6.6.3. I am getting the below error while using ssl:

ERROR TcpOutputFd - Connection to host=xx.x.xxx.xxx:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
01-02-2019 02:19:35.424 -0600 ERROR TcpOutputFd - Connection to host=xx.x.xxx.xxx:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

The outputs.conf file on forwarder is:

[tcpout:x_Indexers]
disabled = false
server = abc:9997
autoLB = true
compressed = false
sslpassword = abcd
sslRootCAPath = abc/abc.crt
sslCertPath = abc/abc.pem

The inputs.conf file on Indexer is:

[splunktcp-ssl://9997]
connection_host = abc

[SSL]
compressed = false
password = abcd
requireClientCert = false
rootCA = abc/abc.crt
serverCert = abc/abc.pem

Not sure what is the issue?

Tags (2)
0 Karma
1 Solution

vishaltaneja070
Motivator

Hello,

The issue has been solved after upgrading the forwarder to 6.6 version.

View solution in original post

0 Karma

vishaltaneja070
Motivator

Hello,

The issue has been solved after upgrading the forwarder to 6.6 version.

View solution in original post

0 Karma

ddrillic
Ultra Champion

Btw, please look at Why are there different names for inputs.conf and outputs.conf?

The config parameter names have evolved....

0 Karma

vishaltaneja070
Motivator

Didn't get you?

0 Karma

ddrillic
Ultra Champion

Just wanted to say that some of the configuration parameters for SSL changed their names ; -)

0 Karma

p_gurav
Champion
0 Karma

vishaltaneja070
Motivator

I have done based on this only. But still didn't work out. Any suggestion based on the error?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Look like you didn't follow document properly, it will be good to provide absolute path for certificates and on Indexer and Forwarder sslRootCAPath should be in server.conf

Please go through documentation provided by @p_gurav and you will able to configure it easily.

0 Karma

vishaltaneja070
Motivator

@harsmarvania57
I have followed the doc. As per the doc, server.conf need to defined in Linux system not in case of windows.
And also the same configuration is working in one system where Forwarder is on Windows and Indexer in Windows.
Issue is persisting in case of using Linux Forwarder and Window Forwarder. And In Linux Forwarder i have already pass the sslRootCAPath in server.conf

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

On forwarder, in outputs.conf please change sslPassword = abcd, P is in capital. Also provide Absolute path for certificate, for example Linux forwarder /opt/splunkforwarder/etc/auth/abc/abc.pem.

On indexer, in inputs.conf connection_host should be ip, dns or None

Also can you please confirm are you using same certificate on Indexer and Forwarder?

0 Karma

vishaltaneja070
Motivator

Hello @harsmarvania57

These setting are already in place.
connection_host is set to ip already. I have just send a snapshot kind of thing.

The same setting is working between Windows forwarder and Window indexer.

Is there any issue with forwarder version?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

So what is forwarder version and OS Version? and Splunk version on Indexer and OS version ?

0 Karma