topic Re: Splunk apps: How do you resolve certificate verification errors? in Security

Splunk apps: How do you resolve certificate verification errors?

SplunkIT3337 — Wed, 03 Jan 2018 16:53:02 GMT

I've searched the similar questions and did not find a direct answer.
I have a Splunk APP (Code42) that fails because of SLL verification issues.

"file=RESTClient.py:error:319 message="message="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" exception_type="SSLError" exception_arguments="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" filename="code42_clients.py" line="180"""

The certificate on the server, where the app is pulling data from, is self-signed. We cannot change that unfortunately. Within the Splunk application where do add this certificate so Splunk and all associated apps will trust the cert?

I've checked and made changes to this file, Documentation/Splunk/latest/Admin/Serverconf, however they have not been successful. I want to verify the app's cert, and not ignore certificate failures.

Re: Splunk apps: How do you resolve certificate verification errors?

burakcinar — Wed, 03 Jan 2018 20:50:38 GMT

if you cant change self-signed ssl , you need to export your certificate (including the private key) and install it to splunk server.

i assume that code42 is related with crashplan and they have documentation for ssl implementation. ( check: https://support.code42.com/Administrator/6/Configuring/Install_your_own_SSL_certificate_with_OpenSSL )

Re: Splunk apps: How do you resolve certificate verification errors?

SplunkIT3337 — Thu, 04 Jan 2018 12:55:59 GMT

Where would I install the key on the Splunk side? The article seems to mention setting up they cert on the CrashPlan server, which we already have. The Splunk app, will not validate the certificate though. On the Splunk server we have tried adding the certificate to the appsca.pem file, however that has not fixed the issue.

Re: Splunk apps: How do you resolve certificate verification errors?

burakcinar — Thu, 04 Jan 2018 14:08:30 GMT

which OS are you using for splunk ?

Re: Splunk apps: How do you resolve certificate verification errors?

SplunkIT3337 — Thu, 04 Jan 2018 14:09:57 GMT

Ubuntu 14.04 LTS

Re: Splunk apps: How do you resolve certificate verification errors?

SplunkIT3337 — Fri, 02 Feb 2018 17:30:51 GMT

We have changed the certificate to one issued by a trusted CA (Entrust). However Splunk OpenSSL does not seem to like Entrust and still gives the same errors: After running this command to find the cert store, I've hit a block, and still cannot find where I can install the certificate that would allow Splunk > Python > OpenSSL instance to trust the certificate. I would not like to go the route of telling Splunk to ignore all cert errors. The path /home/build, does not exist,

Here is the connection test command:

./splunk cmd openssl s_client -connect SITENAME:PORT | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G3
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
/opt/splunk/bin# ./splunk cmd python -c "import ssl;print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/home/build/build-home/splunk-home/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/home/build/build-home/splunk-home/openssl/certs')

Re: Splunk apps: How do you resolve certificate verification errors?

rrthokala — Thu, 08 Nov 2018 15:15:53 GMT

whats the solution for this problem?

Re: Splunk apps: How do you resolve certificate verification errors?

rrthokala — Thu, 08 Nov 2018 16:18:09 GMT

appended the cert information to cacert.pem in python lib to make it work.

Re: Splunk apps: How do you resolve certificate verification errors?

georgen_splunk — Wed, 23 Jan 2019 01:17:47 GMT

version = 3.0.6
decided to disable certificate verification as a workaround:
edit $SPLUNK_HOME/etc/apps/Code42ForSplunk/bin/code42.py
navigate to line 125

"verify_certificate": True,

"verify_certificate": False,

SC says this is insecure, but an acceptable hack for now given our ultra-secure environment.

Re: Splunk apps: How do you resolve certificate verification errors?

spluzer — Mon, 26 Oct 2020 13:38:26 GMT

Any update to this?

Re: Splunk apps: How do you resolve certificate verification errors?

makelovenotwar — Wed, 21 Jun 2023 13:30:35 GMT

@rrthokala wrote:
appended the cert information to cacert.pem in python lib to make it work.

where is this python lib located?