Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Connect for k8S - HTTPS problem

npe
Engager
‎01-25-2022 12:59 AM

Hello,

I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.

I have problems when configuring https connection to HEC.

On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.

Then, on Splunk Connect for Kubernetes Helm, if I configure https :

 

 

 

 

 

  splunk:
    hec:
      # host is required and should be provided by user
      host: hostname.domain.com
      # token is required and should be provided by user
      token: MY-HEC-TOKEN
      # protocol has two options: "http" and "https", default is "https"
      # For self signed certificate leave this field blank
      protocol: https

 

 

 

 

 

When deploying, I see the following logs on Heavy Forwarder : 

 

 

 

 

 

01-25-2022 09:37:16.729 +0100 WARN  SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'.
01-25-2022 09:37:16.729 +0100 WARN  HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

 

 

 

 

 

 

I have to configure insecureSSL: true to get the connection working and see logs on Indexer.

But, If I activate HTTPS connection, I do not want it to be insecure ^^.

 

I am a bit confused about Splunk Connect 4 Kubernetes configuration.

Can I use : 

 

 

 

 

 

splunk:
  # Configurations for HEC (HTTP Event Collector)
  hec:
    # The PEM-format CA certificate file.
    # NOTE: The content of the file itself should be used here, not the file path.
    #       The file will be stored as a secret in kubernetes.
    caFile:

 

 

 

 

 

To configure ma Company CA ?

 

Or are keys clientCert, clientKey and CaFile only used for mTLS configuration ?

 

Thank you in advance for your answers.

Regards.

Nicolas.

 

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...