So I'm trying to simulate enabling SSL from all aspects of Splunk and I can't get the forwarder to talk to the indexer at all. I've followed along with both .conf presentations regarding SSL and the Splunk docs > securing Splunk and I can't get it to work.
I can get Splunk Web to work as https using my signed certs. The indexers open the port with my signed certs and enable to the port to be ssl; however, forwarders don't work at all. I get this error:
02-11-2016 15:45:40.789 +0000 ERROR TcpOutputFd - Connection to host=172.18.0.3:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Does anyone have any troubleshooting techniques that can help solve this? Seems like all the questions on here are unanswered and really would like to get over this issue.
Here is my inputs.conf on my local indexer
[SSL]
rootCA = $SPLUNK_HOME/etc/apps/idx_ssl/local/ca-cert.pem
serverCert = $SPLUNK_HOME/etc/apps/idx_ssl/local/server.pem
password = password
# sslVersions = tls
# requireClientCert = true
[splunktcp-ssl:9997]
compressed = true
Here is my outputs.conf on my forwarder
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 172.18.0.3:9997
sslCertPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/fw_ssl/local/ca-cert.pem
sslPassword = password
# sslVerifyServerCert = true
# sslCommonNameToCheck = Splunk
Things that are commented out where also uncommented and same results. Just thought I would include all of what I've tried.
All these values are local development, nothing prod.
↧