The only way I was able to resolve the 500 error was to replace the certificate files (cert.pem and privkey.pem) in the $SPLUNK_HOME/etc/auth/splunkweb with my custom cert that is trusted by Splunk. Another behavior to note is that when I enabled client certificate requirements for Splunk in server.conf, it also required the forwarders to check in initially to the deployment server with a client certificate (port 8089), which is an extra step on install, but expected behavior. EDIT: For this to work the certificate used must also have the Client Authentication extended key usage (EKU) attribute. ... View more

Upon investigating the underlying Python code for the search peer check I found that these settings need to be set in server.conf: [sslConfig] requireClientCert = True verifyServerCert = True Here is the search to check those specific settings from the GUI: | rest /services/configs/conf-server/sslConfig | table requireClientCert, verifyServerCert Both of these values should exist and be set to 1 for the check to pass. Interestingly, I cannot find "verifyServerCert" referenced in any documentation. Wondering if this is a bug in the check itself and the developer actually meant "sslVerifyServerCert". While these settings are what is required by the check, it will not make the check pass. This is due the utility library used by the Upgrade Readiness App not supporting client certificate authentication. When running with what should be passing settings, entries in logs similar to the following are found like @triptraptresko posted: 09-09-2022 08:00:06.093 +0000 WARN SSLCommon [10232 HttpDedicatedIoThread-7] - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'. 09-09-2022 08:00:06.093 +0000 WARN HttpListener [10232 HttpDedicatedIoThread-7] - Socket error from 127.0.0.1:36446 while idling: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate This problem exists in at least version 9.0.3 (appears to be the latest version of the app as shipped with Splunk Enterprise 9.0.1) of the app. I don't have any other data to support it existing in other versions, but presume that it exists in the versions prior to 9.0.3 as well. For a temporary workaround, the utility can be patched to support client certificate authentication with the following modifications to the "get_connection_object" method (line 721 for me) in the etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_utils.py file: def get_connection_object(session_key, owner=None): """ Create a new connection object for oneshot. :param session_key: Session key of the logged in user. :return: oneshot connection object. """ logging.info("Creating a new connection object for oneshot.") try: args = {"token": session_key} if owner: args["owner"] = owner # begin fix for client cert auth args["key_file"] = "<path to key file>" args["cert_file"] = "<path to cert file>" # end fix for client cert auth service = client.connect(**args) return service except Exception as e: logging.exception(str(e)) return None Restart Splunk after the code update, and the app should be able to perform the checks successfully without the peer certificate errors. Both the occurrence of "verifyServerCert" in the check and unsupported client certificate authentication seem like bugs to me, so I'm going to try to report them appropriately. ... View more

Thanks for that catch. We are running in FIPS mode, which requires it to be set according to the docs. ... View more

I've got the same issue as well on 9.0.1. I was able to figure out a workaround for the Splunk Web GUI not loading (500 error) though. Turns out there is still something configured to use the certs in etc/auth/splunkweb even though the configs in web.conf and server.conf clearly point to different certificates. To get the GUI to work with "requireClientCert = True" in server.conf, I had to copy my Splunk Web certificate and key to the files in etc/auth/splunkweb. The certificate supports both client and server authentication, so I presume that's the only reason it worked. This allowed the GUI to load, but still has not fixed the issues found by the Upgrade Readiness App. Were you able to find a solution for the Mongo one? ... View more