topic Re: Internally Signed Certificate Error in Getting Data In

Internally Signed Certificate Error

willadams — Tue, 27 Nov 2018 05:13:58 GMT

I am trying to configure our web interface to have a certificate for connections (i.e. https://fqdn:8000). I am running into a problem where I am getting an "can't read certificate file errno=33558531 error:02001003:system library:fopen:No such process"

This is followed with

ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong
ERROR HTTPServer - SSL will not be enabled

Using the SPLUNK documentation on generating this certificate (https://docs.splunk.com/Documentation/Splunk/6.6.4/Security/Getthird-partycertificatesforSplunkWeb) I generated a key file with a pass phrase. I followed the instructions to remove the passphrase and was able to verify this using openssl ..... -text without being prompted.

I did deviate slightly when generating the certificate request by using the following openssl command.

openssl req -new -sha256 -nodes -out -key -config

The config file contained the relevant information and the SAN's we need for the certificate.

I had the certificate signed by our Internal CA and I was provided a PEM format (.pem) response. I also had our Internal CA provide the certificate chain in a PEM format. Our certificate chain comprises a root, intermediary and issuing CA.

I created a new PEM file and copied the response certificate block in. I then copied the certificate block for the issuing CA, the intermediary CA and then the root CA to this new PEM file. So this mimics what the document indicates (signed cert first, then issuing, then intermediary, then root)

I then updated the web.conf file to reference these entries by configuring it as

[settings]
enableSplunkWebSSL = true
privKeyPath = \etc\auth\myfolder\file.key
serverCert = \etc\auth\myfolder\signedfile.pem

I did also try

[settings]
enableSplunkWebSSL = true
privKeyPath = \etc\auth\myfolder\file.key
caCert = \etc\auth\myfolder\concatenatedfile.pem

I did also try not using the concatenated PEM file and just using the response file.

However no matter what I do I keep getting the error mentioned.

Note the certificate being generated is using a CNAME for the FQDN instead of the server name. Do I need to add an additional SAN for the server name as well?

Re: Internally Signed Certificate Error

willadams — Wed, 28 Nov 2018 05:40:58 GMT

I revisited the certificate configuration and opted to use the exact commands listed in the SPLUNK support documentation to generate the certificate request. This is to mitigate against any configuration issues in the CSR. This too resulted in the same problem.

I also investigated the version of OpenSSL for our SPLUNK instance and can confirm we are using the SPLUNK documented version (for reference SPLUNK 6.6.4 with openssl-1.0.2k ==> https://docs.splunk.com/Documentation/Splunk/6.6.4/ReleaseNotes/OpenSSL).

Re: Internally Signed Certificate Error

willadams — Tue, 29 Sep 2020 22:09:09 GMT

I have been able to identify a method to get this to work in 6.6.4 with openssl 1.0.2k.

I needed to adjust my openssl query so that the command was

openssl req -out file.csr -newkey rsa:2048 -nodes -keyout file.key -config san.cnf

The cnf file was simply

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=xxxxxx
ST=xxxxx
L=xxxxx
O=xxxxxx
OU=xxxxxx
CN=fqdn.domain.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1=fqdn.domain.com
DNS.2=xxxxxx
.....

I then had the request re-signed and asked for the response in PEM format and obtained the PEM format for each of the certificate authorities in the chain. For example issuingca.pem; intermediateca.pem and rootca.pem

I then did a "type signedrequest.pem issuingca.pem intermediateca.pem rootca.pem > bundle.pem

I then updated the web.conf file so that is read

[settings]
enableSplunkWebSSL = true
privKeyPath = [Drive_Letter]:\Splunk_Enterprise\etc\auth\folder\file.key
serverCert = [Drive_Letter]:\Splunk_Enterprise\etc\auth\folder\bundle.pem

I also hashed out the "sslPassword" in the file server.conf (etc\system\local) and restarting SPLUNK.