Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are there Splunk SSL Errors when setting sslVerifyServerCert to true?

efheem
Explorer
‎09-11-2023 04:04 AM

Hello,

 

When I enable  sslVerifyServerCert  in server.conf under [sslConfig], I am seeing the following errors. From where does it understands that there is an IP address mismatch? If it trying to resolve the CN mentioned in the certificate?

 

 

09-11-2023 11:40:01.284 +0300 WARN  X509Verify [1034989 TcpChannelThread] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:01.285 +0300 WARN  X509Verify [1034990 TcpChannelThread] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:01.286 +0300 WARN  X509Verify [1034986 TcpChannelThread] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:03.998 +0300 WARN  X509Verify [1034777 DistHealthReporter] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:03.998 +0300 WARN  X509Verify [1034786 DistributedPeerMonitorThread] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"
09-11-2023 11:40:04.005 +0300 WARN  X509Verify [1034777 DistHealthReporter] - Server  X509 certificate (CN=searche.test.local,OU=NIL,O=TEST,L=Loc,ST=Sta,C=NIL) failed validation; error=64, reason="IP addrsearche mismatch"

 

 

Cheers.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

efheem
Explorer
‎09-18-2023 04:36 AM

I figured out why this was throwing the error and posting here the solution just in case if it help someone.

I was sure that I did not use any IP's while configuring the instances, however, I just noticed that when I used cluster manager URI in server.conf for searchhead mode, it picked the IP address of peers (default behavior I think) instead of fqdn. The cert SAN did not had IP address in it. To overcome this, I added the below line in server.conf in each cluster peer and it resolved the issue.

[clustering]
register_search_address = FQDN

 

View solution in original post

Reply
Solved! Jump to solution
Solution

efheem
Explorer
‎09-18-2023 04:36 AM

I figured out why this was throwing the error and posting here the solution just in case if it help someone.

I was sure that I did not use any IP's while configuring the instances, however, I just noticed that when I used cluster manager URI in server.conf for searchhead mode, it picked the IP address of peers (default behavior I think) instead of fqdn. The cert SAN did not had IP address in it. To overcome this, I added the below line in server.conf in each cluster peer and it resolved the issue.

[clustering]
register_search_address = FQDN

 

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top