$ /opt/splunk/bin/splunk cmd openssl verify -CAfile ca-chain.pem server-chain-with-key. Is it correct to have server.pem in both CM and indexers for serverCert? Sorry, really confused.īTW, here is the output of openssl verify The chain is built up by looking up the issuers certificate of the current certificate. It is an error if the whole chain cannot be built up. Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA. Tip: you can also include chain certificate by passing chain as. If you need to use a cert with the java application or with any other who accept only PKCS12 format, you can use the above command, which will generate single pfx containing certificate & key file. In both instances, nf is something like Įxcept that requireClientCert = false in indexer nf The verify operation consists of a number of separate steps. openssl pkcs12 export out sslcert.pfx inkey key.pem in sslcert.pem. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'. Indexer splunkd.log WARN SSLCommon - Received fatal SS元 alert. Below is what I seeĬluster Master splunkd.log ERROR X509Verify - X509 certificate (CN=XXXX,OU=XXX.) failed validation error=26, reason="unsupported certificate purpose" Hello have followed this and made requireClientCert = true in CM and restarted splunk. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.Īny ideas about this? Do I need to have client certificate aswell for this? If yes, how should I refer to client cert(where should I set it)Īnd thanks for clarifying on BAD_CERT_DOMAIN. Indexer splund.log WARN SSLCommon - Received fatal SS元 alert. WARN HttpListener - Socket error from :36874 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name. In other words, root CA needs to be self signed for verify to work. cat /etc/certs/cacert.pem subCAwebsites.crt > chain.pem openssl verify -CAfile chain.pem cups1.crt cups1.crt: OK Now, I also want Windows to see these certificates as valid. From verify documentation: If a certificate is found which is its own issuer it is assumed to be the root CA. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'. Moreover, if I create a chain the certificate is also OK. WARN SSLCommon - Received fatal SS元 alert. So I made requireClientCert = true, restarted splunkd and I am seeing below errors/warningĬluster master splund.log ERROR X509Verify - X509 certificate (CN=XXXXXX) failed validation error=26, reason="unsupported certificate purpose" However going to production, we do want to enable certificate verification to happen on management port 8089. And seems like the requireClientCert = falseĬonfig in nf is equivalent to -k switch (correct me if I'm wrong). I checked with -k switch at it gave me the required output.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |