- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Why are there Splunk SSL Errors when setting sslVe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When I enable sslVerifyServerCert in server.conf under [sslConfig], I am seeing the following errors. From where does it understands that there is an IP address mismatch? If it trying to resolve the CN mentioned in the certificate?
09-11-2023 11:40:01.284 +0300 WARN X509Verify [1034989 TcpChannelThread] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:01.285 +0300 WARN X509Verify [1034990 TcpChannelThread] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:01.286 +0300 WARN X509Verify [1034986 TcpChannelThread] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:03.998 +0300 WARN X509Verify [1034777 DistHealthReporter] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:03.998 +0300 WARN X509Verify [1034786 DistributedPeerMonitorThread] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:04.005 +0300 WARN X509Verify [1034777 DistHealthReporter] - Server X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out why this was throwing the error and posting here the solution just in case if it help someone.
I was sure that I did not use any IP's while configuring the instances, however, I just noticed that when I used cluster manager URI in server.conf for searchhead mode, it picked the IP address of peers (default behavior I think) instead of fqdn. The cert SAN did not had IP address in it. To overcome this, I added the below line in server.conf in each cluster peer and it resolved the issue.
[clustering]
register_search_address = FQDN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out why this was throwing the error and posting here the solution just in case if it help someone.
I was sure that I did not use any IP's while configuring the instances, however, I just noticed that when I used cluster manager URI in server.conf for searchhead mode, it picked the IP address of peers (default behavior I think) instead of fqdn. The cert SAN did not had IP address in it. To overcome this, I added the below line in server.conf in each cluster peer and it resolved the issue.
[clustering]
register_search_address = FQDN
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
