Security

Trying to configure SSL in Splunk, why is my forwarder reporting "certificate verify failed"?

chawagon03
Path Finder

So I'm trying to simulate enabling SSL from all aspects of Splunk and I can't get the forwarder to talk to the indexer at all. I've followed along with both .conf presentations regarding SSL and the Splunk docs > securing Splunk and I can't get it to work.

I can get Splunk Web to work as https using my signed certs. The indexers open the port with my signed certs and enable to the port to be ssl; however, forwarders don't work at all. I get this error:

02-11-2016 15:45:40.789 +0000 ERROR TcpOutputFd - Connection to host=xxx.xx.x.x:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Does anyone have any troubleshooting techniques that can help solve this? Seems like all the questions on here are unanswered and really would like to get over this issue.

Here is my inputs.conf on my local indexer

[SSL]
rootCA = $SPLUNK_HOME/etc/apps/idx_ssl/local/ca-cert.pem
serverCert = $SPLUNK_HOME/etc/apps/idx_ssl/local/server.pem
password = password
# sslVersions = tls
# requireClientCert = true
[splunktcp-ssl:9997]
compressed = true

Here is my outputs.conf on my forwarder

[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = xxx.xx.x.x:9997
sslCertPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/ca-cert.pem
sslPassword = password
# sslVerifyServerCert = true
# sslCommonNameToCheck = Splunk

Things that are commented out where also uncommented and same results. Just thought I would include all of what I've tried.

All these values are local development, nothing prod.

1 Solution

chawagon03
Path Finder

After beating my head for a few hours, I have solved my issue and thought it would post it on here as well..

When creating the CSR files for the certificates, DON'T USE THE SAME COMMON NAME. This is what I did and read that it will make it fail if they have the same CN. Created the self signing certs again and voila!

View solution in original post

chawagon03
Path Finder

After beating my head for a few hours, I have solved my issue and thought it would post it on here as well..

When creating the CSR files for the certificates, DON'T USE THE SAME COMMON NAME. This is what I did and read that it will make it fail if they have the same CN. Created the self signing certs again and voila!

tkmads1
Explorer

Thanks for the post!! we are facing same issue in our environment and this post helped us to find it out..

mdaedalus
Explorer

Where is this documented, or where did you read it? Was it a splunk doc, or something from the web? I've beat my head on this for a while. Going to try this fix now. Thanks for this doc at least. 🙂

0 Karma

badrinath_dash
Explorer

Thank you !! I had the same problem in my environment and this post helped me to figure out this issue.

0 Karma

lib_systems
Path Finder

I was getting the same error and realized I was using the same common name in both CSR files. However, at least for my case, it wasn't just that the CNs needed to be different. When creating the CSR for the root CA I needed to leave the CN blank, while when creating the CSR for the server cert I specified the desired CN. This resolved the errors for me.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...