topic Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file in Security

Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

scc00 — Mon, 18 Mar 2019 17:59:57 GMT

Running into the following errors when configuring and restarting splunk using third party certificates. All configurations follow Splunk's instructions found here. https://docs.splunk.com/Documentation/Splunk/7.0.3/Security/Howtogetthird-partycertificates#Request_your_server_certificate

Web.conf
[settings]
enableSplunkWebSSL = 1
serverCert = /opt/splunk/etc/etc/auth/certnew.cer
privKeyPath = /opt/splunk/etc/auth/privatekey.key
httpport = 8000

Server.conf

[sslConfig]
sslPassword = whateveriwant
sslRootCAPath = /opt/splunk/etc/auth/labca.pem
serverCert = /opt/splunk/etc/auth/server.pem
sslVersions = tls1.2

Errors within Splunkd.log:
03-18-2019 13:48:21.609 -0400 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/etc/auth/certnew.cer errno=33558530 error:02001002:system library:fopen:No such file or directory
03-18-2019 13:48:21.609 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

Any ideas why this is happening? Permissions are correct. The splunk user has access to read and write the necessary files.

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

nickhills — Mon, 18 Mar 2019 18:04:22 GMT

Is the .cer file a PEM or DER encoded certificate?
It looks like Splunk is struggling to read it, so you might need to convert it to base64 PEM

If you open the .cer in a text editor, does it start with -----BEGIN CERTIFICATE-----
If not, you need to convert it.

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

scc00 — Mon, 18 Mar 2019 18:10:06 GMT

So it's a base 64 PEM file and starts like this:

-----BEGIN CERTIFICATE-----

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

nickhills — Mon, 18 Mar 2019 18:26:09 GMT

Oh wait - there is a typo in the filename.

/opt/splunk/etc/etc/auth/certnew.cer

should be

/opt/splunk/etc/auth/certnew.cer

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

scc00 — Tue, 29 Sep 2020 23:43:38 GMT

Good catch. Thanks for that. 🙂

But i'm getting this error now:

03-18-2019 14:53:29.048 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.074 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/defendsh.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

nickhills — Mon, 18 Mar 2019 19:54:47 GMT

I don't see an sslPassword = whatever you set it to in your web.conf in your initial post.
Is that an omission from the paste?

Re: Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

scc00 — Mon, 18 Mar 2019 20:00:24 GMT

So I haven't use it since it's optional and only required if the private key had a password, which mine does not. I removed immediately after creating it.