Splunk Enterprise Security

Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true?

vtalanki
Path Finder

Hi All,

I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

But I see below errors in CM Splunkd.log

ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.

WARN  HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

And I see this in my Indexer splunkd.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.

I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?

Thanks in advance

Labels (1)
0 Karma
1 Solution

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

View solution in original post

cesaccenturefed
Path Finder

thanks for this, looks like i'm running into the issue too. my older cert worked, the new one my cert auth team issued to me looks like it is single purpose

openssl x509 -noout -in testold.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No

vs 

openssl x509 -noout -in test.pem -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No

I have had my CA folks replace my certs and updated my Splunk. it now works. thanks ! 

0 Karma

vtalanki
Path Finder

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

server cert

 $ openssl x509 -noout -in server.pem -purpose
 Certificate purposes:
 SSL client : No
 SSL server : Yes

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

I don't see this documented anywhere.

Hiattech
Explorer

@vtalanki wrote:

This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others

Multi-purpose cert

 $ openssl x509 -noout -in multi-purpose.pem -purpose
 Certificate purposes:
 SSL client : Yes
 SSL server : Yes

 


Also running into this issue but I'm unclear as to how to make an SSL cert for Client AND Server. We generally create a request on the Linux server, then copy that into our CA server with our Linux template and it spits out a certificate. Is it something in our template we need to change to update that? Or is it in the request somehow?

Tags (2)
0 Karma

MCH2018
Explorer

Hello @vtalanki,

I got the same issue, what do you mean by mutli-purpose cert ? If I understand I need a certificat that is both server and client but how do you generate this certificat ?

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...