Splunk Enterprise Security

Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true

Path Finder

Hi All,

I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

But I see below errors in CM Splunkd.log

ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.

WARN  HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

And I see this in my Indexer splunkd.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.

I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?

Thanks in advance

0 Karma
1 Solution

Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

View solution in original post

Path Finder

thanks for this, looks like i'm running into the issue too. my older cert worked, the new one my cert auth team issued to me looks like it is single purpose

openssl x509 -noout -in testold.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No

vs 

openssl x509 -noout -in test.pem -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No

I have had my CA folks replace my certs and updated my Splunk. it now works. thanks ! 

0 Karma

Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

View solution in original post