Splunk Python Env CA certificates

samsnguy_cisco — Wed, 14 Nov 2018 20:39:35 GMT

We have an issue on an App we are developing. for some clients who have installed out app, we have issues completing the SSL handshake due to certificate validation.

Version of splunk: This happens on all Splunk versions (but for select clients after a clean install)
** heavy forwarder vs indexer ** : Occurs on both

Issue:
It seems that Cisco's AMP for Endpoints SSL certificate is not trusted by Splunk's python environment. NOTE: the SSL certificates correctly validates on the operating system (of the application host [both heavy forwarder and index node]) and can be confirmed using openssl outside of the python environment:

openssl s_client -connect export-streaming.amp.cisco.com:443
CONNECTED(00000005)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Jose/O=Cisco Systems, Inc./CN=amp.cisco.com
   i:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
 1 s:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIILDDCCCPSgAwIBAgIUMceVIh8OXU0YK1tQ8+ZyD3XsQ6swDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxMDAuBgNVBAoTJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl
IENsb3VkIENvcnBvcmF0aW9uKTEdMBsGA1UEAxMUSHlkcmFudElEIFNTTCBJQ0Eg
RzIwHhcNMTcwODEwMTgxOTQ5WhcNMTkwODEwMTgxOTQ0WjBjMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNj
byBTeXN0ZW1zLCBJbmMuMRYwFAYDVQQDEw1hbXAuY2lzY28uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYypkcDAwPkYnqL3jlvwEA3B2XS1T5sG
rupa4D/Kikq55N+WyooPzBwzYPuHGpebk3OZpJezE0elDFPyYULFlEObktZmm+70
WmRj3JnQy99DAT0yNMZFPDO3LhpmBikOVn4Wa+lX90qCfXWcWdcumA25+V6NCeFB
shlPltI4E4yKyGuZVZzLVV8+Ow553pSNTJfljtVIRalvPACkC/agnZp7SmqUKSIt
b5O71zHHxMbdUDL1Keefc88ugB2H2eYR4bTcVFZ+grmnMVh9tTDJNeCoYj5Rm0Mf
cSkeMqZc7VhiOhpyAiu8LlbpntlnlZPnu2WknAkSiVId7u/K8asGCQIDAQABo4IG
uzCCBrcwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
YWRpc2dsb2JhbC5jb20vaHlkc3NsZzIuY3J0MIIFBQYDVR0RBIIE/DCCBPiCDWFt
cC5jaXNjby5jb22CFWFuZHJvaWQuYW1wLmNpc2NvLmNvbYIWYXBpLWRvY3MuYW1w
LmNpc2NvLmNvbYIRYXBpLmFtcC5jaXNjby5jb22CEmF1dGguYW1wLmNpc2NvLmNv
bYIbY2xvdWQtY3dzLWFzbi5hbXAuY2lzY28uY29tghtjbG91ZC1jd3MtZXN0LmFt
cC5jaXNjby5jb22CF2Nsb3VkLWN3cy5hbXAuY2lzY28uY29tghpjbG91ZC1kYy1h
c24uYW1wLmNpc2NvLmNvbYIaY2xvdWQtZGMtZXN0LmFtcC5jaXNjby5jb22CFmNs
b3VkLWRjLmFtcC5jaXNjby5jb22CGmNsb3VkLWVjLWFzbi5hbXAuY2lzY28uY29t
ghpjbG91ZC1lYy1lc3QuYW1wLmNpc2NvLmNvbYIWY2xvdWQtZWMuYW1wLmNpc2Nv
LmNvbYIbY2xvdWQtaW9zLWFzbi5hbXAuY2lzY28uY29tghtjbG91ZC1pb3MtZXN0
LmFtcC5jaXNjby5jb22CHmNsb3VkLW1lcmFraS1hc24uYW1wLmNpc2NvLmNvbYIe
Y2xvdWQtbWVyYWtpLWVzdC5hbXAuY2lzY28uY29tghpjbG91ZC1wYy1hc24uYW1w
LmNpc2NvLmNvbYIaY2xvdWQtcGMtZXN0LmFtcC5jaXNjby5jb22CFmNsb3VkLXBj
LmFtcC5jaXNjby5jb22CG2Nsb3VkLXB1Yi1hc24uYW1wLmNpc2NvLmNvbYIbY2xv
dWQtcHViLWVzdC5hbXAuY2lzY28uY29tghdjbG91ZC1wdWIuYW1wLmNpc2NvLmNv
bYIaY2xvdWQtc2EtYXNuLmFtcC5jaXNjby5jb22CGmNsb3VkLXNhLWVzdC5hbXAu
Y2lzY28uY29tghZjbG91ZC1zYS5hbXAuY2lzY28uY29tghtjbG91ZC1zaWctYXNu
LmFtcC5jaXNjby5jb22CG2Nsb3VkLXNpZy1lc3QuYW1wLmNpc2NvLmNvbYIXY2xv
dWQtc2lnLmFtcC5jaXNjby5jb22CFWNvbnNvbGUuYW1wLmNpc2NvLmNvbYITY3Jh
c2guYW1wLmNpc2NvLmNvbYIfY3VzdG9tLXNpZ25hdHVyZXMuYW1wLmNpc2NvLmNv
bYISZGVmcy5hbXAuY2lzY28uY29tghJkb2NzLmFtcC5jaXNjby5jb22CFmRvd25s
b2FkLmFtcC5jaXNjby5jb22CFGV4cG9ydC5hbXAuY2lzY28uY29tgh5leHBvcnQt
c3RyZWFtaW5nLmFtcC5jaXNjby5jb22CFGludGFrZS5hbXAuY2lzY28uY29tghhp
b2Mtc2NoZW1hLmFtcC5jaXNjby5jb22CEWlvYy5hbXAuY2lzY28uY29tghJtZ210
LmFtcC5jaXNjby5jb22CGXBjLXBhY2thZ2VzLmFtcC5jaXNjby5jb22CFHBvbGlj
eS5hbXAuY2lzY28uY29tghFyZmYuYW1wLmNpc2NvLmNvbYIec3VwcG9ydC1zZXNz
aW9ucy5hbXAuY2lzY28uY29tghRzdWJtaXQuYW1wLmNpc2NvLmNvbYIcc3VwcG9y
dC1wb3J0YWwuYW1wLmNpc2NvLmNvbYIUdXBkYXRlLmFtcC5jaXNjby5jb22CFnVw
Z3JhZGVzLmFtcC5jaXNjby5jb20wXgYDVR0gBFcwVTAIBgZngQwBAgIwSQYMKwYB
BAG+WAADhwQAMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuaHlkcmFudGlkLmNv
bS9zdXBwb3J0L3JlcG9zaXRvcnkwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
BaAwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBQYIKwYB
BQUHAwYGCCsGAQUFBwMHMB8GA1UdIwQYMBaAFJhqti0uv6eqn/b31gmv1YtX+Yq3
MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29t
L2h5ZHNzbGcyLmNybDAdBgNVHQ4EFgQU7aEerxt6HGag6xvsKd+p3c+WOx8wDQYJ
KoZIhvcNAQELBQADggIBANQvKmOqsc4E0zqSe+OZImKNDpMXviOx78GXOfloeRxr
Kj84jPQ9c4+pY9Di4HF6/OMHgbFqUQwxMHNehL4mdin6uUj+jhRZuRH74AFzhVNs
yVCX+AdAp75FOgxFgFMNVOmRSs81/IeKysNSPBb3XRNRo3wfzZiTJT1lI0GX/hy0
mRWm+DdM8GkKEv4j8NneHAdkoEYR1nvydrJMaPhb3OtOEyj5ClMJbb9pB2h3QOv7
RTtiZaYxzdDCrFbgXQGOJV5qVtWX3wZNxT3qaegC3NfUmuHD73dtsaSuCnWcCWJD
SiJaKPRkGdiaB4OM6E0OQT+QqtmOogaPWp9G6Ay2pQ9AaaDUXuMQaOQQIFViIF/o
q7FDlFqq8Eh/XsarxFWH3/Wgbi6OlTP74ZlfhKkdjXhJA654ww8wmZxqNglMmOt5
hwGOh7yAJQ+FeZ/scjfRnDvdGfvz6xFllzrt0EJ4MNp8VXynuk/4G3flldCuF6Kr
PddL7Wn/goMTBVftSYcJNkEhndQ3hpOb39bH+XM5GVrpshWEoHiSqM8hMIhHx0Et
ucvTzl3GrzrTDcL5v4+DJikTxtMh20OWtN7yfjB0dAD6s0lYCy5jESGR4hR1MhPO
lIpJBujqiX3Bexpng7LXc4sDBE4o43jLF+RB3mbVeyrIigRiaqWLZS5u9we95Oji
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Jose/O=Cisco Systems, Inc./CN=amp.cisco.com
issuer=/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
---
No client certificate CA names sent
---
SSL handshake has read 6695 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 143BB6710AC28F2D462BDF63DC1EBA8BFE706664221E2C66F37F3BA367C3DD77
    Session-ID-ctx:
    Master-Key: 49EE53C3CC86465863000F441CBD6C6134C58B844693278477461A3520BD945CE32E4AFF0D51DB60036CBE8681FBFE2A
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 63 a8 48 f1 10 76 6c 20-dd 30 15 62 00 90 f5 f1   c.H..vl .0.b....
    0010 - de c9 51 26 b4 d5 c8 2a-a2 00 13 f3 36 8b dd db   ..Q&...*....6...
    0020 - 22 41 87 1f d5 bd 07 aa-74 8e 1f 57 0d 0c 49 ed   "A......t..W..I.
    0030 - 2c 02 d0 e7 21 14 b4 ee-b2 a0 86 18 a7 86 f0 95   ,...!...........
    0040 - ae e8 61 ba ba 92 5b 6f-54 09 8b 99 3b 07 f6 84   ..a...[oT...;...
    0050 - 5b 3d d2 50 69 21 df 8a-ef 0d a4 75 ef 73 46 84   [=.Pi!.....u.sF.
    0060 - 5d a5 e4 33 b4 09 4a 33-6e 51 c2 94 7a 98 01 60   ]..3..J3nQ..z..`
    0070 - 5e d1 ef 16 2f ee 11 9f-61 cb 71 d7 c9 fe b2 e7   ^.../...a.q.....
    0080 - e0 3b 21 b1 da 8c 04 7e-09 74 b2 22 d5 a0 b5 b4   .;!....~.t."....
    0090 - 5a 0e 96 24 53 b4 39 be-0b 5d 67 53 16 c2 08 5b   Z..$S.9..]gS...[

    Start Time: 1542227728
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

However, within the Splunk python environment we have an error

bin/splunk cmd openssl s_client -connect export-streaming.amp.cisco.com:443
CONNECTED(00000003)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Jose/O=Cisco Systems, Inc./CN=amp.cisco.com
   i:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
 1 s:/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIILDDCCCPSgAwIBAgIUMceVIh8OXU0YK1tQ8+ZyD3XsQ6swDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxMDAuBgNVBAoTJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl
IENsb3VkIENvcnBvcmF0aW9uKTEdMBsGA1UEAxMUSHlkcmFudElEIFNTTCBJQ0Eg
RzIwHhcNMTcwODEwMTgxOTQ5WhcNMTkwODEwMTgxOTQ0WjBjMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRwwGgYDVQQKExNDaXNj
byBTeXN0ZW1zLCBJbmMuMRYwFAYDVQQDEw1hbXAuY2lzY28uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYypkcDAwPkYnqL3jlvwEA3B2XS1T5sG
rupa4D/Kikq55N+WyooPzBwzYPuHGpebk3OZpJezE0elDFPyYULFlEObktZmm+70
WmRj3JnQy99DAT0yNMZFPDO3LhpmBikOVn4Wa+lX90qCfXWcWdcumA25+V6NCeFB
shlPltI4E4yKyGuZVZzLVV8+Ow553pSNTJfljtVIRalvPACkC/agnZp7SmqUKSIt
b5O71zHHxMbdUDL1Keefc88ugB2H2eYR4bTcVFZ+grmnMVh9tTDJNeCoYj5Rm0Mf
cSkeMqZc7VhiOhpyAiu8LlbpntlnlZPnu2WknAkSiVId7u/K8asGCQIDAQABo4IG
uzCCBrcwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
YWRpc2dsb2JhbC5jb20vaHlkc3NsZzIuY3J0MIIFBQYDVR0RBIIE/DCCBPiCDWFt
cC5jaXNjby5jb22CFWFuZHJvaWQuYW1wLmNpc2NvLmNvbYIWYXBpLWRvY3MuYW1w
LmNpc2NvLmNvbYIRYXBpLmFtcC5jaXNjby5jb22CEmF1dGguYW1wLmNpc2NvLmNv
bYIbY2xvdWQtY3dzLWFzbi5hbXAuY2lzY28uY29tghtjbG91ZC1jd3MtZXN0LmFt
cC5jaXNjby5jb22CF2Nsb3VkLWN3cy5hbXAuY2lzY28uY29tghpjbG91ZC1kYy1h
c24uYW1wLmNpc2NvLmNvbYIaY2xvdWQtZGMtZXN0LmFtcC5jaXNjby5jb22CFmNs
b3VkLWRjLmFtcC5jaXNjby5jb22CGmNsb3VkLWVjLWFzbi5hbXAuY2lzY28uY29t
ghpjbG91ZC1lYy1lc3QuYW1wLmNpc2NvLmNvbYIWY2xvdWQtZWMuYW1wLmNpc2Nv
LmNvbYIbY2xvdWQtaW9zLWFzbi5hbXAuY2lzY28uY29tghtjbG91ZC1pb3MtZXN0
LmFtcC5jaXNjby5jb22CHmNsb3VkLW1lcmFraS1hc24uYW1wLmNpc2NvLmNvbYIe
Y2xvdWQtbWVyYWtpLWVzdC5hbXAuY2lzY28uY29tghpjbG91ZC1wYy1hc24uYW1w
LmNpc2NvLmNvbYIaY2xvdWQtcGMtZXN0LmFtcC5jaXNjby5jb22CFmNsb3VkLXBj
LmFtcC5jaXNjby5jb22CG2Nsb3VkLXB1Yi1hc24uYW1wLmNpc2NvLmNvbYIbY2xv
dWQtcHViLWVzdC5hbXAuY2lzY28uY29tghdjbG91ZC1wdWIuYW1wLmNpc2NvLmNv
bYIaY2xvdWQtc2EtYXNuLmFtcC5jaXNjby5jb22CGmNsb3VkLXNhLWVzdC5hbXAu
Y2lzY28uY29tghZjbG91ZC1zYS5hbXAuY2lzY28uY29tghtjbG91ZC1zaWctYXNu
LmFtcC5jaXNjby5jb22CG2Nsb3VkLXNpZy1lc3QuYW1wLmNpc2NvLmNvbYIXY2xv
dWQtc2lnLmFtcC5jaXNjby5jb22CFWNvbnNvbGUuYW1wLmNpc2NvLmNvbYITY3Jh
c2guYW1wLmNpc2NvLmNvbYIfY3VzdG9tLXNpZ25hdHVyZXMuYW1wLmNpc2NvLmNv
bYISZGVmcy5hbXAuY2lzY28uY29tghJkb2NzLmFtcC5jaXNjby5jb22CFmRvd25s
b2FkLmFtcC5jaXNjby5jb22CFGV4cG9ydC5hbXAuY2lzY28uY29tgh5leHBvcnQt
c3RyZWFtaW5nLmFtcC5jaXNjby5jb22CFGludGFrZS5hbXAuY2lzY28uY29tghhp
b2Mtc2NoZW1hLmFtcC5jaXNjby5jb22CEWlvYy5hbXAuY2lzY28uY29tghJtZ210
LmFtcC5jaXNjby5jb22CGXBjLXBhY2thZ2VzLmFtcC5jaXNjby5jb22CFHBvbGlj
eS5hbXAuY2lzY28uY29tghFyZmYuYW1wLmNpc2NvLmNvbYIec3VwcG9ydC1zZXNz
aW9ucy5hbXAuY2lzY28uY29tghRzdWJtaXQuYW1wLmNpc2NvLmNvbYIcc3VwcG9y
dC1wb3J0YWwuYW1wLmNpc2NvLmNvbYIUdXBkYXRlLmFtcC5jaXNjby5jb22CFnVw
Z3JhZGVzLmFtcC5jaXNjby5jb20wXgYDVR0gBFcwVTAIBgZngQwBAgIwSQYMKwYB
BAG+WAADhwQAMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuaHlkcmFudGlkLmNv
bS9zdXBwb3J0L3JlcG9zaXRvcnkwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
BaAwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBQYIKwYB
BQUHAwYGCCsGAQUFBwMHMB8GA1UdIwQYMBaAFJhqti0uv6eqn/b31gmv1YtX+Yq3
MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29t
L2h5ZHNzbGcyLmNybDAdBgNVHQ4EFgQU7aEerxt6HGag6xvsKd+p3c+WOx8wDQYJ
KoZIhvcNAQELBQADggIBANQvKmOqsc4E0zqSe+OZImKNDpMXviOx78GXOfloeRxr
Kj84jPQ9c4+pY9Di4HF6/OMHgbFqUQwxMHNehL4mdin6uUj+jhRZuRH74AFzhVNs
yVCX+AdAp75FOgxFgFMNVOmRSs81/IeKysNSPBb3XRNRo3wfzZiTJT1lI0GX/hy0
mRWm+DdM8GkKEv4j8NneHAdkoEYR1nvydrJMaPhb3OtOEyj5ClMJbb9pB2h3QOv7
RTtiZaYxzdDCrFbgXQGOJV5qVtWX3wZNxT3qaegC3NfUmuHD73dtsaSuCnWcCWJD
SiJaKPRkGdiaB4OM6E0OQT+QqtmOogaPWp9G6Ay2pQ9AaaDUXuMQaOQQIFViIF/o
q7FDlFqq8Eh/XsarxFWH3/Wgbi6OlTP74ZlfhKkdjXhJA654ww8wmZxqNglMmOt5
hwGOh7yAJQ+FeZ/scjfRnDvdGfvz6xFllzrt0EJ4MNp8VXynuk/4G3flldCuF6Kr
PddL7Wn/goMTBVftSYcJNkEhndQ3hpOb39bH+XM5GVrpshWEoHiSqM8hMIhHx0Et
ucvTzl3GrzrTDcL5v4+DJikTxtMh20OWtN7yfjB0dAD6s0lYCy5jESGR4hR1MhPO
lIpJBujqiX3Bexpng7LXc4sDBE4o43jLF+RB3mbVeyrIigRiaqWLZS5u9we95Oji
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Jose/O=Cisco Systems, Inc./CN=amp.cisco.com
issuer=/C=US/O=HydrantID (Avalanche Cloud Corporation)/CN=HydrantID SSL ICA G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6700 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 86C01068ECA077332C7AFD19945B5D736F93437DF3464FDC9607D11036F9FB04
    Session-ID-ctx:
    Master-Key: 8FAE26FB09AD099FC83EBBD3A6C1686A6EB81074AB1C0C0B8C61A785485B68332621A656897733F796CA5FB0668B2A6C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 63 a8 48 f1 10 76 6c 20-dd 30 15 62 00 90 f5 f1   c.H..vl .0.b....
    0010 - 4c 43 99 35 c3 13 7f 39-a3 78 42 13 d2 67 63 f6   LC.5...9.xB..gc.
    0020 - cf 9c 82 8c c6 66 f2 b8-fa 87 e1 7d cc 7e 70 49   .....f.....}.~pI
    0030 - 4e 54 0c 1c 6b 57 4c a8-90 89 0c 07 52 03 a2 8e   NT..kWL.....R...
    0040 - c4 c3 b9 e6 49 d9 d6 1a-cb ad 96 ea c4 a1 97 55   ....I..........U
    0050 - 37 bf f7 b2 b4 27 05 79-6b 6d 8f 13 78 ca 1b 77   7....'.ykm..x..w
    0060 - 43 3a 10 0a e8 b1 c7 1b-b0 09 9c 2d b9 af bc c9   C:.........-....
    0070 - b8 3a 57 71 48 c2 86 d1-c5 e4 b4 9a 3e b9 17 c9   .:WqH.......>...
    0080 - 8b d8 1f 3e 06 54 fe 79-7f 26 69 a7 72 cb 9a 79   ...>.T.y.&i.r..y
    0090 - 39 f6 d4 75 7e 6a 69 24-ee 9e 1f 25 dc 31 e8 62   9..u~ji$...%.1.b

    Start Time: 1542220554
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

The specific error is

        Verify return code: 19 (self signed certificate in certificate chain)

Questions are :

How can we add support for the Cisco AMP for Endpoints SSL certificate (issued by HydrantID)?
Are there work-arounds for adding an additional CA within the Application itself?
what is the process for adding this directly into Splunk's CA set?

Re: Splunk Python Env CA certificates

MuS — Tue, 29 Sep 2020 21:59:49 GMT

Hi samsnguy_cisco,

to make it work with the openssl provided by Splunk you can run this command:

/opt/splunk/bin/splunk cmd openssl s_client -connect export-streaming.amp.cisco.com:443 -CApath /usr/lib/ssl/certs

to make it work in your script (assuming python) just add the ca path to your script using openssl_capath_env which points to the environment variable: SSL_CERT_DIR.
If SSL_CERT_DIR doesn't exist, you will need to create it and point it to a valid folder within your filesystem.

I would not try and add the CA's to Splunk's CA set - if possible at all ¯\_(ツ)_/¯, they might get over written with an update of Splunk.

Hope this helps ...

cheers, MuS

Re: Splunk Python Env CA certificates

samsnguy_cisco — Thu, 15 Nov 2018 15:40:06 GMT

Perfect, thanks for the quick reply.

topic Re: Splunk Python Env CA certificates in Splunk Dev

Splunk Python Env CA certificates

Re: Splunk Python Env CA certificates

Re: Splunk Python Env CA certificates