I have a Splunk forwarder forwarding logs to a Splunk Server, and the SplunkServer is using a LetsEncrypt CA cert. I have tried a couple of directives but they dont see to work.
Here are my configs:
useACK = true
indexAndForward = false
defaultGroup = splunkssl
forwardedindex.0.whitelist = modsec
compressed = true
server = splunkserver.ip.com:9998
clientCert = /opt/splunkforwarder/etc/certs/client.pem
#sslRootCAPath = /opt/splunkforwarder/etc/certs/cacert.pem
sslRootCAPath = /opt/splunkforwarder/etc/certs/letsencryptca.pem sslVerifyServerCert = true
sslCommonNameToCheck = splunkserver-alias.ip.com
I found my issue here in the forums, but the response was to disable sslVerifyServerCert.. which I can not do.
Here is the error I get:
05-30-2023 16:19:21.265 -0700 ERROR TcpOutputFd - Connection to host=splunkserver.ip.com:9998 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
... View more