×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jefffredericks
New Member
Member since: ‎12-09-2024
‎12-09-2024
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-09-2024
View All

Splunk - Forwarder 2 Indexer - Self Signed Certifi...

by in Deployment Architecture
‎12-09-2024 03:43 PM
‎12-09-2024 03:43 PM
I've set up a dev 9.2 Splunk environment. And I'm trying to use a self-signed cert to secure forwarding. But every time I attempt to connect the UF to the Indexing server it fails -_- I've tried a lot of permutations of the below. All ultimately ending with the forwarder unable to connect to the indexing server. I've made sure permissions are set to 6000 for cert and key. Made sure the Forwarder and Indexer have seperate common names. And created multiple cert types. But I'm at a bit of a loss as to what I need to do to get the forwarder and indexer to connect over a self signed certificate. Any help is incredibly appreciated. Below is some of what I've attempted. Trying to not make this post multiple pages long X) Simple TLS Configuration Generating Indexer Certs: openssl genrsa -out indexer.key 2048 openssl req -new -x509 -key indexer.key -out indexer.pem -days 1095 -sha256 cat indexer.pem indexer.key > indexer_combined.pem Note: I keep reading that the cert and key need to be 1 file. But I"m not sure on this. Generating Forwarder Certs: openssl genrsa -out forwarder.key 2048 openssl req -new -x509 -key forwarder.key -out forwarder.pem -days 1095 -sha256 cat forwarder.pem forwarder.key > forwarder_combined.pem Indexer Configuration: [SSL] serverCert = /opt/tls/indexer_combined.pem sslPassword = random_string requireClientCert = false [splunktcp-ssl:9997] compressed = true Outcome: Indexer listens on port 9997 for encrypted communications. Forwarder Configuration [tcpout] defaultGroup = splunkssl [tcpout:splunkssl] server = 192.168.110.178:9997 compressed = true [tcpout-server://192.168.110.178:9997] sslCertPath =/opt/tls/forwarder_combined.pem sslPassword = random_string sslVerifyServerCert = false Outcome: Forwarder fails to communicate with Indexer Logs from Forwarder: ERROR TcpInputProc [27440 FwdDataReceiverThread] - Error encountered for connection from src=192.168.110.26:33522. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Testing with openssl s_client: Command: openssl s_client -connect 192.168.110.178:9997 -cert forwarder_combined.pem -key forwarder.key Output: Unknown CA ( I didn't write the exact message in my notes, but it generally says the CA is unknown.) Note: Not sure if I need to add sslVersions = tls1.2, but that seems outside of the scope of the issue. Troubleshooting connect, running openssl s_client raw: Command: openssl s_client -connect 192.168.110.178:9997 Output received: CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/z9gt7bhz Further Troubleshooting Added Indexers self-signed certificate to forwarder ... sslPassword = random_string sslVerifyServerCert = true sslRootCAPath = /opt/tls/indexer_combined.pem Outcome: same error message. Testing with s_client: Command: openssl s_client -connect 192.168.110.178:9997 -CAfile indexer_combined.pem Connecting to 192.168.110.178 CONNECTED(00000003) Can't use SSL_get_servername Full s_client message is here: https://pastebin.com/BcDvJ2Fs ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-09-2024 08:39 PM