All Apps and Add-ons

Http post request to Splunk REST API with certificate verification

Motivator

Hi All,

I want to secure the http post request made to Splunk REST API over https with certificate verification. I am using following code in python

r=requests.post(url="https://localhost:8089/services/auth/login",data={'username':'admin', 'password':'admin'},allow_redirects=True,stream=True,verify=True)

I always get following error

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:595)

I have tried providing certificate path in verify field, still I get same error.

Any idea?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You'll never get "localhost" certs to verify.

Change verify=True to verify=False. The communication will still be encrypted.

Or access the server through a FQDN that is associated with a valid SSL certificate. something link https://mywebserver.myvaliddomain.com.

View solution in original post

Splunk Employee
Splunk Employee

Self-signed certs are not valid so you cannot use cert validation.

If you want to use a valid cert, you need to replace the self-signed cert on the Splunk side with one issued from a cert authority. You can get a free one for example at letsencrypt.org

0 Karma

Motivator

You can use self signed certificate as well, you just need to add them to trust store.

0 Karma

SplunkTrust
SplunkTrust

You'll never get "localhost" certs to verify.

Change verify=True to verify=False. The communication will still be encrypted.

Or access the server through a FQDN that is associated with a valid SSL certificate. something link https://mywebserver.myvaliddomain.com.

View solution in original post

Motivator

If I use verify=False, it will disable certificate verification. I want to enable certificate verification. Also note I am using default self signed certificate.

0 Karma

SplunkTrust
SplunkTrust

You'll never get self signed certificates to verify unless you place that self signed certificate in your trusted root store or otherwise introduce it to your internal Public/Private Key Infrastructure. Dont get me wrong, some organizations have their own PKI and they can sign their own certs all day long, and their laptops trust their own PKI and those certs will verify just fine. This will never work with LOCALHOST as your common name however. Not with your own PKI, and not with a "LOCALHOST" certificate in your trusted root store, and you'll never be able to the a "LOCALHOST" certificate from a public signing authority either.

The only way around your error for self signed "LOCALHOST" certificates will be to disable the verification.

Option B:
put something in your hosts file like this:
mywebserver.mydomain.com 127.0.0.1

Then generate your own self signed certificate with a CN of mywebserver.mydomain.com. Then add this certificate to your trusted root store. Now open mywebserver.mydomain.com in your webrowser.

Assuming you do this right, the site should have a green padlock in your web browser, and will then work with verify=True in your request.

Again, the communication will still be encrypted even if you disable the verification.

0 Karma

Motivator

I had tried generating CA certificate for my URL, but I am getting same error there as well.
I had generated self signed certificate using openssl for 10.0.1.174. Then signed it using SplunkCommonCA. Then I had tried to make post to that server.

I had not added it to trust store
Can you let me know what's the trust store for python on Linux /Mac?

0 Karma

SplunkTrust
SplunkTrust
0 Karma

Motivator

Thanks @jkat54.

I was able to resolve this problem. We need to install certificate into trusted store of request /httplib module which ever we are using for making request. I am listing all the steps that I had performed for the reference:
I have generated new certificate and signed it with SplunkCommonCA.

Generate New certificate for Splunk Management Port

1) Generate new certificate
openssl genrsa -des3 -out mysplunk.key 2048

2) Generate Certificate Request
openssl req -new -key mysplunk.key -out mysplunk.csr

---> Please ensure you enter the hostname/IP Address, when asked for CN. 

3) Remove pass phrase from the key
openssl rsa -in mysplunk.key -out mysplunknop.key

4) Generate new Certificate using, SplunkCommonCA as signing authority
openssl x509 -req -days 365 -in mysplunk.csr -CA $SPLUNK_HOME/etc/auth/cacert.pem -CAkey $SPLUNK_HOME/etc/auth/ca.pem -CAcreateserial -out mysplunk.pem

5) Add SplunkCommonCA certificate to newly generated certificate

cat $SPLUNK_HOME/etc/auth/cacert.pem >> mysplunk.pem

6) Add private key to your newly generated certificate
 cat mysplunknop.key >> mysplunk.pem

7) Go to $SPLUNK_HOME/etc/system/local/web.conf and update certificate key and certificate as follows:

[settings]
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/mysplunknop.key
caCertPath = etc/auth/splunkweb/mysplunk.pem

8) To change the certificate for management port: Go to  $SPLUNK_HOME/etc/system/local/server.conf

Add following
[sslConfig]
sslKeysfile = splunkweb/mysplunk.pem
sslKeysfilePassword = 

9) For requests module, Copy the SplunkCommonCA certificate into cacerts.pem available at 
/Applications/Splunk/lib/python2.7/site-packages/requests/cacert.pem 

For HTTPLib module, copy SplunkCommonCA certificate into cacerts.txt available at /Applications/Splunk/lib/python2.7/site-packages/httplib2/cacerts.txt

SplunkTrust
SplunkTrust

Well then, i believe we've answered the question. Can you mark this as the answer?

0 Karma

SplunkTrust
SplunkTrust

Seeing as how I've created 3 SSL apps for splunk, all of which use requests lib and python... I'm hoping you'll take my word for this.

0 Karma