Skip to main content

Splunk Universal Forwarder Fails to Connect to Cribl Cloud Splunk TCP with sslVerifyServerCert Enabled

  • July 9, 2026
  • 0 replies
  • 4 views

Jessica Bracken

Symptom

Splunk Universal Forwarder cannot connect to a Cribl Cloud Splunk TCP endpoint when sslVerifyServerCert = true is enabled, logging TLS client initialization errors about not being able to read the CA certificate file and failing to create the SSL context.

Environment

  • Cribl Stream: on Cribl.Cloud (Splunk TCP Source on Port 9997)
  • Splunk Universal Forwarder: Sending via outputs.conf to default.main.<your-org-id>.cribl.cloud:9997
  • TLS Configuration: TLS enabled with useSSL = true and sslVerifyServerCert = true
  • Authentication: Via Splunk S2S Token

Resolution

  1. Confirm the error occurs during UF TLS client initialization (before any handshake with Cribl Cloud).
  2. Use btool to verify the effective CA configuration and ensure the path is absolute and readable, or use caTrustStore = splunk, OS with a system CA bundle.
  3. Add clientCert = $SPLUNK_HOME/etc/auth/server.pem and the corresponding sslPassword to the tcpout stanza, along with TLS and token settings.
  4. Restart the UF and verify successful connection and data flow into the Cribl Cloud Splunk TCP source.
  5. Optionally rely on default TLS validation without sslVerifyServerCert when strict verification is not mandated.

Cause

This issue occurs when Splunk’s SSL client stack cannot resolve the configured CA file path and when sslVerifyServerCert = true is enabled without a usable client certificate/key pair, causing TLS client context initialization to fail even though Cribl Cloud does not require mutual TLS.

Additional Information