- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Getting "unsupported certificate purpose" ERROR wh...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true
But I see below errors in CM Splunkd.log
ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
And I see this in my Indexer splunkd.log
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.
Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.
I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others
server cert
$ openssl x509 -noout -in server.pem -purpose
Certificate purposes:
SSL client : No
SSL server : Yes
Multi-purpose cert
$ openssl x509 -noout -in multi-purpose.pem -purpose
Certificate purposes:
SSL client : Yes
SSL server : Yes
I don't see this documented anywhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for this, looks like i'm running into the issue too. my older cert worked, the new one my cert auth team issued to me looks like it is single purpose
openssl x509 -noout -in testold.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
vs
openssl x509 -noout -in test.pem -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
I have had my CA folks replace my certs and updated my Splunk. it now works. thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others
server cert
$ openssl x509 -noout -in server.pem -purpose
Certificate purposes:
SSL client : No
SSL server : Yes
Multi-purpose cert
$ openssl x509 -noout -in multi-purpose.pem -purpose
Certificate purposes:
SSL client : Yes
SSL server : Yes
I don't see this documented anywhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vtalanki wrote:This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others
Multi-purpose cert
$ openssl x509 -noout -in multi-purpose.pem -purpose Certificate purposes: SSL client : Yes SSL server : Yes
Also running into this issue but I'm unclear as to how to make an SSL cert for Client AND Server. We generally create a request on the Linux server, then copy that into our CA server with our Linux template and it spits out a certificate. Is it something in our template we need to change to update that? Or is it in the request somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @vtalanki,
I got the same issue, what do you mean by mutli-purpose cert ? If I understand I need a certificat that is both server and client but how do you generate this certificat ?
Thanks for your help.
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
