Splunk Enterprise Security

How to get multiple issues when enabling ssl on Splunk web with 3rd party certs with requiredClientCert = true?

vtalanki
Path Finder

Hi All,

I want enable mTLS in splunk cluster on all the communication channels. I have peer certificate that works as both server and client.
Enabling ssl is successful when I set

requiredClientCert = false

in web.conf. However when I make requiredClientCert = true I am getting below errors

ERROR X509Verify - X509 certificate (CN=myCompanyCN) failed validation; error=19, reason="self signed certificate in certificate chain"
WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unknown CA'.
WARN  HttpListener - Socket error from 127.0.0.1:60580 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

Here are my conf files

server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/peer-chain-with-key.pem <=== contains peer cert, key, intermediate certs, root CA cert in this order
caCertFile = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

web.conf

# Securing splunk web
enableSplunkWebSSL = true
privKeyPath = etc/auth/mycerts/peer-key.pem
serverCert = etc/auth/mycerts/peer-chain-cert-without-key.pem <==== contains peer cert, int certs & root CA cert in this order
sslVersions = tls1.2
requireClientCert = true

Any help please

Labels (1)
0 Karma
1 Solution

vtalanki
Path Finder

This issue has been resolved when I use sslRootCAPath in web.conf instead of caCertFile

View solution in original post

Suirand1
Explorer

I suppose you wanted to say in "server.conf" instead of "web.conf". I do get these errors even after configurig sslRootCAPath  in server.conf

0 Karma

mustapha_arakji
Splunk Employee
Splunk Employee

https://docs.splunk.com/Documentation/Splunk/9.0.0/admin/Webconf

sslRootCAPath = <path>
* The path to a root certificate authority (CA) certificate, in privacy-enhanced
  mail (PEM) format, that splunkd is to use to authenticate client certificates
  under certain specific conditions.
* Splunkd uses the certificate specified at the path defined in this setting only
  when both 'requireClientCert' and 'enableCertBasedUserAuth' have a value of "true".
* If this setting has no value, splunkd falls back to the value of the 'sslRootCAPath'
  setting in server.conf.
* If you have already configured 'sslRootCAPath' in server.conf, the value of this
  setting does not override the setting of the same name in server.conf.
* No default.

 

0 Karma

vtalanki
Path Finder

This issue has been resolved when I use sslRootCAPath in web.conf instead of caCertFile

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...