Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Connect for k8S - HTTPS problem

npe
Engager
‎01-25-2022 12:59 AM

Hello,

I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.

I have problems when configuring https connection to HEC.

On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.

Then, on Splunk Connect for Kubernetes Helm, if I configure https :

 

 

 

 

 

  splunk:
    hec:
      # host is required and should be provided by user
      host: hostname.domain.com
      # token is required and should be provided by user
      token: MY-HEC-TOKEN
      # protocol has two options: "http" and "https", default is "https"
      # For self signed certificate leave this field blank
      protocol: https

 

 

 

 

 

When deploying, I see the following logs on Heavy Forwarder : 

 

 

 

 

 

01-25-2022 09:37:16.729 +0100 WARN  SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'.
01-25-2022 09:37:16.729 +0100 WARN  HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

 

 

 

 

 

 

I have to configure insecureSSL: true to get the connection working and see logs on Indexer.

But, If I activate HTTPS connection, I do not want it to be insecure ^^.

 

I am a bit confused about Splunk Connect 4 Kubernetes configuration.

Can I use : 

 

 

 

 

 

splunk:
  # Configurations for HEC (HTTP Event Collector)
  hec:
    # The PEM-format CA certificate file.
    # NOTE: The content of the file itself should be used here, not the file path.
    #       The file will be stored as a secret in kubernetes.
    caFile:

 

 

 

 

 

To configure ma Company CA ?

 

Or are keys clientCert, clientKey and CaFile only used for mTLS configuration ?

 

Thank you in advance for your answers.

Regards.

Nicolas.

 

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...