Environment- Single Splunk 7.3.9 search head / indexer with FIPS_MODE=1 etc/system/local/server.conf [sslConfig]
sslRootCAPath = $SPLUNK_HOME\etc\auth\mycerts\consolidatedCA.pem
[kvstore]
serverCert = mycerts\kvstore_consolidated.pem
sslPassword = <password_for_private_key> the "kvstore_consolidated.pem" contains my private key, and the server cert. Issue: kvstore fails to start. (log below from splunkd.log) 07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not get ping from mongod.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not start mongo instance. Initialization failed.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. Failed to start KV Store process. See mongod.log and splunkd.log for details..
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - Failed to start KV Store process. See mongod.log and splunkd.log for details. mongod.log 2021-07-15T14:36:03.080Z E NETWORK [conn941] SSL peer certificate validation failed: unsupported certificate purpose
2021-07-15T14:36:03.080Z I NETWORK [conn941] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 127.0.0.1:52128 (connection id: 941) so it seems like the server is trying to make loopback requests and trying to act as both the server and the client in SSL comms. In reading this , (while its not the same issue), the suggestion is to have the CA sign the CSR so its both client and server. Before I go down this road (the CA I am using does not seem to support this- it can only sign as either "user" or "server"), just want to see if anyone else have ran into this? I also tried the server.conf settings in this article, but with same results: https://splunkcommunity.com/wp-content/uploads/2019/11/FIPSConf_Final.pdf
... View more