topic Re: Why can't I use cliVerifyServerName = True with self signed certificate? in Splunk Enterprise

Why can't I use cliVerifyServerName = True with self signed certificate?

andymalato — Tue, 28 Feb 2023 18:59:19 GMT

We are working on upgrading our Splunk environment from 8.2.7 to 9.0.4

When we attempt to set cliVerifyServerName = true in server.conf and start splunk, the following is message just keeps being echoed in an endless loop "ERROR: certificate validation: self signed certificate."

We are only using self signed certificates to secure splunkd but SplunkWeb does have a real cert signed by an recognized signing authority. If we don't set this we see the following message on startup:

".WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details"

This feels like a bug to me but not sure since certificates are complicated.

Any one else running into this issue ?

Thanks.

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

_pravin — Fri, 03 Mar 2023 15:28:34 GMT

I see a similar issue but I have set cliVerifyServerName = false. But from your answer, if it doesn't make a difference I am interested to see what changes we need to employ.

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

kdulle — Mon, 13 Mar 2023 16:36:55 GMT

I'm seeing the same thing. Let me know if you find out more.

Pretty sure this python warning was new after the upgrade as well.
Upgrading from 9.0

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

andymalato — Mon, 13 Mar 2023 16:50:40 GMT

This is somehow tied to SplunkWEB because when we set cliVerifyServerName = true on our indexers (which don't run a web interface) this error does not happen and splunkd starts without issue. I believe the issue is that we are using a self-signed certificate for splunkd but for splunkWEB we are using a signed certificate recognized by a known signing authority. It seems that the mixture of a self-signed certificate in the mix is causing the issue. However, I believe this should be a supported configuration as using two different certificates for splunkd and splunkWEB is supported. This feels like a bug.

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

andymalato — Tue, 14 Mar 2023 11:00:58 GMT

The feature to use TLS hostname validation for Python modules was available starting in 9.0. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/AboutupgradingREADTHISFIRST for details. We were able to silence the message by setting PYTHONHTTPSVERIFY = 1 in splunk-launch.conf. Hope that helps.

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

kdulle — Tue, 14 Mar 2023 12:42:30 GMT

Yes, I can confirm that when I added that to splunk-launch.conf the python message went away.

Thanks for clarifying your issue above yesterday on using two different certs causing the problem. My issue ended up being a typo in the sslRootCAPath in server.conf.

I appreciate your quick replies.

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

jorma — Fri, 01 Mar 2024 17:00:06 GMT

We are having this exact issue - were you able to find a solution?

Re: Why can't I use cliVerifyServerName = True with self signed certificate?

_pravin — Tue, 12 Mar 2024 09:52:36 GMT

Hi @jorma ,

There are a few things you need to check for certificates.

Check if the certificate is pointing to the right file in web.conf
If you have a different name for the Splunk web URL, make sure that you have all of them the SAN part of the certificate file.

I had encountered both of the above issues and once I made the change, our Splunk instance was working perfectly.

Thanks,

Pravin