topic Re: I am getting Certificate Error in Training + Certification Discussions

I am getting Certificate Error

abhayneilam — Tue, 29 Sep 2020 20:16:56 GMT

HI, I have configured SSL in Splunk . It is not self signed but issued by Certified Authority.

I have enabled https option from Splunk GUI also. I am using 7.1.1 version.

Now, the problem is . If I open my SH with https it is opening, but Certificate Error is giving :

This page is not secure (broken HTTPS).
Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
View certificate
Certificate - missing

The hostname in the website’s security certificate differs from the website you are trying to visit.
Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID

I am getting this by pressing F12 and Security tab and my URL is becoming red and https is getting striked out.

Kindly help in solving this !!

Re: I am getting Certificate Error

abhayneilam — Thu, 05 Jul 2018 05:45:38 GMT

Thanks it is solved, I did it myself !!

Re: I am getting Certificate Error

ichea — Thu, 18 Oct 2018 13:50:15 GMT

How did you fix this?

Re: I am getting Certificate Error

DBattisto — Wed, 06 Mar 2019 13:02:55 GMT

Please provide input on what you did to fix this issue.

Re: I am getting Certificate Error

_joe — Fri, 12 Jul 2019 11:49:21 GMT

You've kind of answered your own question, but the error is because the certificate specified in the CN field of your certificate and your host don't match.

Here are some helpful steps if you are using Linux and Splunk Home is "/opt/splunk"
I - Find what host your using
/opt/splunk/bin/splunk btool web list | grep serverCert

2 - Check your CN
/opt/splunk/bin/splunk cmd openssl x509 -in .pem -text | grep Subject:

It could be something as simple as just needing to specify the FQDN

Re: I am getting Certificate Error

_joe — Wed, 18 Mar 2020 12:15:45 GMT

You need a certificate that specifies the alt name, which doesn't happen when in the Splunk guide for cert creation.

One option would be to follow Step 3 in this guide. If you have a single server that creates all your certificates, you would need to change openssl.cnf before each cert creation. FYI, changing these type of files will cause a manifest error until you either put the old file back or upgrade.

https://www.hurricanelabs.com/splunk-tutorials/splunk-certificates-master-guide

#Edit the openSSL file
vi /opt/splunk/openssl/openssl.cnf

# Uncomment out the Request Extensions options

    # Optional: Use "/" to search for req_extensions

    Change FROM: #req_extensions = v3_req # The extensions to add to a certificate request
             TO: req_extensions = v3_req # The extensions to add to a certificate request

    # Optional: Use "/" to search for v3_req 

#Add extended key usage 'subjectAltName = DNS:<FQDN>, DNS:<hostname>, IP:<ip_address>'