Symptom
Splunk Universal Forwarder cannot connect to a Cribl Cloud Splunk TCP endpoint when sslVerifyServerCert = true is enabled, logging TLS client initialization errors about not being able to read the CA certificate file and failing to create the SSL context.
Environment
- Cribl Stream: on Cribl.Cloud (Splunk TCP Source on Port 9997)
- Splunk Universal Forwarder: Sending via
outputs.conftodefault.main.<your-org-id>.cribl.cloud:9997 - TLS Configuration: TLS enabled with
useSSL = trueandsslVerifyServerCert = true - Authentication: Via Splunk S2S Token
Resolution
- Confirm the error occurs during UF TLS client initialization (before any handshake with Cribl Cloud).
- Use
btoolto verify the effective CA configuration and ensure the path is absolute and readable, or usecaTrustStore = splunk, OSwith a system CA bundle. - Add
clientCert = $SPLUNK_HOME/etc/auth/server.pemand the correspondingsslPasswordto thetcpoutstanza, along with TLS and token settings. - Restart the UF and verify successful connection and data flow into the Cribl Cloud Splunk TCP source.
- Optionally rely on default TLS validation without
sslVerifyServerCertwhen strict verification is not mandated.
Cause
This issue occurs when Splunk’s SSL client stack cannot resolve the configured CA file path and when sslVerifyServerCert = true is enabled without a usable client certificate/key pair, causing TLS client context initialization to fail even though Cribl Cloud does not require mutual TLS.
Additional Information
- Splunk TCP Source documentation in Cribl Docs.
- Cribl Cloud Splunk TCP uses one-way TLS with token-based auth; the UF
clientCertis only for Splunk’s own TLS stack.
