Splunk Enterprise Security

Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true?

vtalanki
Path Finder

Hi All,

I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

But I see below errors in CM Splunkd.log

ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.

WARN  HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

And I see this in my Indexer splunkd.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.

I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?

Thanks in advance

Labels (1)
0 Karma
1 Solution

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

View solution in original post

cesaccenturefed
Path Finder

thanks for this, looks like i'm running into the issue too. my older cert worked, the new one my cert auth team issued to me looks like it is single purpose

openssl x509 -noout -in testold.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No

vs 

openssl x509 -noout -in test.pem -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No

I have had my CA folks replace my certs and updated my Splunk. it now works. thanks ! 

0 Karma

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

Hiattech
Explorer

@vtalanki wrote:

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

 


Also running into this issue but I'm unclear as to how to make an SSL cert for Client AND Server. We generally create a request on the Linux server, then copy that into our CA server with our Linux template and it spits out a certificate. Is it something in our template we need to change to update that? Or is it in the request somehow?

Tags (2)
0 Karma

MCH2018
Explorer

Hello @vtalanki,

I got the same issue, what do you mean by mutli-purpose cert ? If I understand I need a certificat that is both server and client but how do you generate this certificat ?

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...