Solved: Trying to configure SSL in Splunk, why is my forwa...

chawagon03 · ‎02-11-2016

So I'm trying to simulate enabling SSL from all aspects of Splunk and I can't get the forwarder to talk to the indexer at all. I've followed along with both .conf presentations regarding SSL and the Splunk docs > securing Splunk and I can't get it to work.

I can get Splunk Web to work as https using my signed certs. The indexers open the port with my signed certs and enable to the port to be ssl; however, forwarders don't work at all. I get this error:

02-11-2016 15:45:40.789 +0000 ERROR TcpOutputFd - Connection to host=xxx.xx.x.x:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Does anyone have any troubleshooting techniques that can help solve this? Seems like all the questions on here are unanswered and really would like to get over this issue.

Here is my inputs.conf on my local indexer

[SSL]
rootCA = $SPLUNK_HOME/etc/apps/idx_ssl/local/ca-cert.pem
serverCert = $SPLUNK_HOME/etc/apps/idx_ssl/local/server.pem
password = password
# sslVersions = tls
# requireClientCert = true
[splunktcp-ssl:9997]
compressed = true

Here is my outputs.conf on my forwarder

[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = xxx.xx.x.x:9997
sslCertPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/ca-cert.pem
sslPassword = password
# sslVerifyServerCert = true
# sslCommonNameToCheck = Splunk

Things that are commented out where also uncommented and same results. Just thought I would include all of what I've tried.

All these values are local development, nothing prod.

chawagon03 · ‎02-11-2016

After beating my head for a few hours, I have solved my issue and thought it would post it on here as well..

When creating the CSR files for the certificates, DON'T USE THE SAME COMMON NAME. This is what I did and read that it will make it fail if they have the same CN. Created the self signing certs again and voila!

View solution in original post

chawagon03 · ‎02-11-2016

After beating my head for a few hours, I have solved my issue and thought it would post it on here as well..

When creating the CSR files for the certificates, DON'T USE THE SAME COMMON NAME. This is what I did and read that it will make it fail if they have the same CN. Created the self signing certs again and voila!

tkmads1 · ‎08-08-2017

Thanks for the post!! we are facing same issue in our environment and this post helped us to find it out..

mdaedalus · ‎05-30-2017

Where is this documented, or where did you read it? Was it a splunk doc, or something from the web? I've beat my head on this for a while. Going to try this fix now. Thanks for this doc at least. 🙂

badrinath_dash · ‎08-23-2016

Thank you !! I had the same problem in my environment and this post helped me to figure out this issue.

lib_systems · ‎07-07-2016

I was getting the same error and realized I was using the same common name in both CSR files. However, at least for my case, it wasn't just that the CNs needed to be different. When creating the CSR for the root CA I needed to leave the CN blank, while when creating the CSR for the server cert I specified the desired CN. This resolved the errors for me.

Trying to configure SSL in Splunk, why is my forwarder reporting "certificate verify failed"?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk