All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SSL error: How do I fix this Forescout Adaptive Response TA?

mattmans1
New Member
‎05-15-2022 02:26 PM

Hi.

I'm having a nightmare getting this adaptive response TA working.  Has anybody got it working? I'm getting the following error.

ta_forescout_response_init.py:45 - CRITICAL - Unexpected error while getting alert actions from CounterACT: HTTPSConnectionPool(host='forescout.mattlab.local', port=443): Max retries exceeded with url: /splunk/actions_info?auth=CounterACT%20A6885132-A0EE-4AED-A2A3-8C01AF148957 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))

The guide I've followed is here.  Specifically page 15:

https://www.forescout.com/resources/app-and-add-on-for-splunk-how-to-guide-2-9-1/

********************************************************************************************

To enable HTTPS communication using Forescout eyeExtend for Splunk:

1. Operators must not use the default self-signed web-portal certificate; instead,
they need to procure their own certificate. See Appendix 😧 System
Certificate for Web Portal.


2. Once the certificates are installed on the CounterACT Appliance, the Forescout
platform Public Key Certificate must be appended to the cacert.pem file at the
following location:


$SPLUNK_HOME/lib/python2.7/site-packages/requests/cacert.pem

****************************************************************************

I have created a server certificate for forescout and copied the CA cert over to request directory below

root@splunklinux:/opt/splunk/lib/python3.7/site-packages/requests# ls -al
total 228
drwxrwxrwx 3 10777 10777 4096 May 15 21:56 .
drwxrwxrwx 73 10777 10777 4096 May 2 12:56 ..
-rwxrwxrwx 1 10777 10777 21344 Feb 1 00:57 adapters.py
-rwxrwxrwx 1 10777 10777 6271 Feb 1 00:57 api.py
-rwxrwxrwx 1 10777 10777 10206 Feb 1 00:57 auth.py
-rw-r--r-- 1 root root 2110 May 15 19:26 cacert.pem
-rwxrwxrwx 1 10777 10777 453 Feb 1 00:57 certs.py
-rwxrwxrwx 1 10777 10777 1678 Feb 1 00:57 compat.py
-rwxrwxrwx 1 10777 10777 18430 Feb 1 00:57 cookies.py
-rwxrwxrwx 1 10777 10777 3185 Feb 1 00:57 exceptions.py
-rwxrwxrwx 1 10777 10777 3515 Feb 1 00:57 help.py
-rwxrwxrwx 1 10777 10777 757 Feb 1 00:57 hooks.py
-rwxrwxrwx 1 10777 10777 3921 Feb 1 00:57 __init__.py
-rwxrwxrwx 1 10777 10777 1096 Feb 1 00:57 _internal_utils.py
-rwxrwxrwx 1 10777 10777 34210 Feb 1 00:57 models.py
-rwxrwxrwx 1 10777 10777 542 Feb 1 00:57 packages.py
drwxrwxrwx 2 root root 4096 May 15 21:59 __pycache__
-rwxrwxrwx 1 10777 10777 29332 May 15 21:56 sessions.py
-rwxrwxrwx 1 10777 10777 4129 Feb 1 00:57 status_codes.py
-rwxrwxrwx 1 10777 10777 2981 Feb 1 00:57 structures.py
-rwxrwxrwx 1 10777 10777 30049 Feb 1 00:57 utils.py
-rwxrwxrwx 1 10777 10777 436 Feb 1 00:57 __version__.py

there was no cacert.pem file in this location - what does it mean append the public key to the cacert.pem file?  i just copied the ca cert from my forescout signed CA over to this location and called it cacert.pem as it didn't exist?

 

Labels (1)
Labels
Tags (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-15-2022 11:21 PM

The general approach seems to be good but.

Which version of splunk are you using? This version of app is meant for Splunk 7 which is EOL. Splunk 8 uses Python 3, not 2. (This should have no connection with the error itself; just mentioning this as a general advice). There is a 3.0.3 version available on Splunkbase.

Try connecting to the web portal using openssl s_client and see the certificate chain.

Did you indeed apply a certificate from an external CA or did you simply copy out the default self-signed certificate from the server? (The docs say it won't work this way).

0 Karma
Reply

mattmans1
New Member
‎05-16-2022 01:34 AM

Hi PickleRick,

 

thankyou for the reply.  I'm using the latest which is 8.2.6 with the latest version of forescout 8.4.  I did notice it used the python 3 libraries rather than 2.  I have a windows CA so i signed the CSR from Forescout with a CA a created using openssl - copied the CA part to the splunk directory after.

I will try using the openssl client you specified to see the certificate chain - im suspecting its not presenting the CACERT.PEM certificate so i agree i need to figure out of that's actually what's not happening.

thanks for the advice i will update later when i try again.

 

0 Karma
Reply

alexstanley85
Observer
‎06-05-2022 04:51 PM

The permission of cacert.pem looks root:root. Will that work ?
Also the path /app/analytics/splunk/lib/python3.7/site-packages/certifi/cacert.pem has a certificate which seems interesting to me. Forescout document mentioned a different path.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...