search cancel

Integrated Cyber Defense Exchange (ICDx) Splunk forwarder module fails due to certificate validation errors


Article ID: 200331


Updated On:


Integrated Cyber Defense Exchange ICDx


The ICDx Splunk forwarder is configured to use and verify SSL(TLS). When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

Similar to the following error is listed in the forwarder logs:

2020-09-23 12:43:15,955 [Splunk] WARN -Send to Splunk 1, 100 event(s), 296830 bytes (uncompressed) attempt 1 - PKIX path building failed: unable to find valid certification path to requested target

2020-09-23 12:43:15,957 [Splunk] WARN - SSL handshake problem. The Splunk server's certificate cannot be validated against to the certificate supplied in the SSL Certificate Path. Try changing the supplied certificate, or replacing the SSL certificates in Splunk, or disabling SSL verification.

Double-check settings:

    * Use SSL: true

    * Use SSL Verification: false

      (ignored because SSL Certificate Path is supplied)

    * SSL Certificate Path: /path/to/splunk_cert.pem

    * Use Hostname Verification: false

      (only applies when using SSL Certificate Path)

    * Host: ###.###.###.###

    * Port: 8088

    * Token: ****

    * Index not specified

    * Source Type not specified

    * Use Proxy: false

The "/path/to/splunk_cert.pem" is the value in the "SSL Certificate Path" configuration.


The issue occurs when the certificate found in the "SSL Certificate Path" configuration does not match the certificate used by the Splunk service.


Release : 1.4.1

Component : Splunk forwarder


To resolve this issue, ensure that the certificate found in the "SSL Certificate Path" is the same as that used by Splunk, or that nothing in the network path might be interfering with the certificate validation, such as a firewall or network device doing TLS deep inspection.