Splunk Enterprise Security

Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true?

vtalanki
Path Finder

Hi All,

I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

But I see below errors in CM Splunkd.log

ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.

WARN  HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

And I see this in my Indexer splunkd.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.

I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?

Thanks in advance

Labels (1)
0 Karma
1 Solution

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

View solution in original post

cesaccenturefed
Path Finder

thanks for this, looks like i'm running into the issue too. my older cert worked, the new one my cert auth team issued to me looks like it is single purpose

openssl x509 -noout -in testold.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No

vs 

openssl x509 -noout -in test.pem -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No

I have had my CA folks replace my certs and updated my Splunk. it now works. thanks ! 

0 Karma

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

MCH2018
Explorer

Hello @vtalanki,

I got the same issue, what do you mean by mutli-purpose cert ? If I understand I need a certificat that is both server and client but how do you generate this certificat ?

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...