We've configured SSL forwarding using indexer discovery successfully but unfortunately some old Server 2008 SP2 boxes have come out of the woodwork and the highest version of the forwarder we can install is 6.3.8.
I'm trying to create a non indexer discovery based app which still has SSL forwarding enabled but I'm hitting the following error.
10-31-2016 15:14:56.981 +0000 ERROR TcpOutputFd - Connection to host=***:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
We're using the same certs, password etc. in the non indexer discovery app that we use in the app that does use indexer discovery.
Inputs.conf on the indexers looks like this.
[default]
host = ***
[splunktcp-ssl:9997]
disabled = 0
compressed = true
[SSL]
disabled = 0
password = ***
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/***.pem
Outputs.conf on the forwarder looks like this.
[tcpout]
defaultGroup = primary_indexers
[tcpout:primary_indexers]
server = ***:9997,***:9997,***:9997,***:9997,***:9997,***:9997
compressed = true
sslCertPath = $SPLUNK_HOME/etc/apps/***/certs/forwarder.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/***/certs/cacert.pem
sslVerifyServerCert = false
sslPassword = ***
Two questions arise from this. Why is the client trying to check the server cert when sslVerifyServerCert is set to false? And why is this working ok when using indexer discovery compared with this more basic configuration?
Fingers crossed someone spots a typo in my config :)
↧