All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

App Webtool - SLL error, certificate verify failed

M4rv1m
Engager
‎04-10-2025 02:47 AM

Hello @jkat54!

I'm having some trouble getting the app to work, and the ultimate goal is to be able to change the ownership of searches automatically (e.g. from a scheduled report).
Here is the search:

``` get all info about the searches on the instance ```
| rest /services/saved/searches splunk_server=local

``` exclude every search where are from user “user” , are disabled and they come only from app search ```
| search eai:acl.owner!="user2 " disabled = 0 eai:acl.app = "search"
| rename eai:acl.owner as owner, eai:acl.app as app, eai:acl.sharing AS sharing

```extract the management port and the search name already urlencoded ```
| rex field=id "^\S+(?<mngmport>\:\d+)\/servicesNS\/\S+\/saved\/searches\/(?<search_name>\S+)$"

``` buid the uri for the curl  mngmport =: mngmport ```
| eval url = https:// + splunk_server + mngmport +"/servicesNS/"+ owner +"/"+ app +"/saved/searches/"+ search_name +"/acl"

``` future use, not yet implemented ```
| eval description = description + " - moved from " + owner

``` constructing data= {"owner":"user2","sharing":"global"} ```
| eval data = json_object("owner", "user2", "sharing", sharing)

``` debug & Co ```
| table splunk_server app owner title description disabled action.notable cron_schedule url data id sharing *

``` the curl, which isn't working/ i'm probably doing something wrong here ```
| curl urifield=url method="post" splunkauth="true" debug=true datafield=data
| table curl*

 

I've tried to specify the cert in some way, but it seems that there are no args that I can pass for it.
Since I can't find a solution to this (searching online I found a suggestion to bypass ssl inspection, but in my case I don't think I can solve it with that), I'm here to ask for help.

I prefer to avoid using simple authentication (user:password).

The error I get is from the curl_message field:

HTTPSConnectionPool(host='host', port=8089): Max retries exceeded with url: /servicesNS/user1/search/saved/searches/dummy%20search/acl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1143)')))

curl_status: 408

Thanks in advance!

Labels (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-10-2025 07:29 AM

Hi @M4rv1m 

Are you running on-prem or Splunk Cloud? This app actually uses Python requests under the hood with verify=True set - this means it is expecting a valid certificate based on the CAs it has access to.

I believe you can overwrite the request CAs using an environment variable "REQUESTS_CA_BUNDLE" - this means you could possible set this in $SPLUNK_HOME/etc/splunk-launch.conf to the CA of your Splunk instance, eg:

REQUESTS_CA_BUNDLE=/opt/splunk/etc/auth/cacert.pem

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

M4rv1m
Engager
‎04-16-2025 03:08 AM

Hi @livehybrid

Thank you for your answer, but it didn't solve my problem unfortunately.

I'm currently on a On-prem enviroment, and the workaround that i found was to put the verify parameter (this one directly in the curl.py) to false.

line 99
r = requests.post(uri,data=payload,verify=False,cert=cert,headers=headers,timeout=timeout)

Maybe not the best, but it's working.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...