All Apps and Add-ons

Splunk Addon SSL Certificate Checker / non-splunk certs

tke_lc_2
Engager

Dear Michael (@jkat54),

we successfully use your Splunk Addon SSL Certificate Checker Version 4.0.2 with the internal Splunk Certificates. Thank you for sharing.

Now we had the idea also to check some external Certificates, means certs on same server but not splunk certs.

Unfortunately I don’t get this up and runnig.

I tried to run the commands manually (see results below).

ssl_checker3 worked

ssl_checker2 failed

I configured the location manually and through the UI. It seems a python module is missing, but I cannot find it. I run a fresh install of Splunk 8.1 on a Test System.

splunk@ultra:~/etc/apps/ssl_checker/bin$ python3 ssl_checker3.py cert="/opt/splunk/etc/auth/cacert.pem" b'expires="Jan 28 20:26:54 2027 GMT\n'

cert="/opt/splunk/etc/auth/appsCA.pem" b'expires="Jan 28 12:00:00 2028 GMT\n'

cert="/opt/splunk/etc/auth/appsLicenseCA.pem" b'expires="Mar  8 12:00:00 2023 GMT\n'

cert="/opt/splunk/etc/auth/server.pem" b'expires="Nov  5 12:20:38 2023 GMT\n'

cert="/opt/splunk/etc/auth/splunkweb/cert.pem" b'expires="Nov  5 12:20:40 2023 GMT\n'

 

So if python is installed in the system, we can also use the app on UF. Thats fine! 😉

 

splunk@ultra:~/etc/apps/ssl_checker/bin$ python3 ssl_checker2.py Traceback (most recent call last):

  File "ssl_checker2.py", line 19, in <module>

    import splunk.mining.dcutils as dcu

ModuleNotFoundError: No module named 'splunk'

Okay, the splunk python modules are missing. When I run with the splunk internal python it shows me the following.

splunk@ultra:~/etc/apps/ssl_checker/bin$ /opt/splunk/bin/python3 ssl_checker2.py 'str' object has no attribute 'decode'

The config Files look like this:

splunk@ultra:~/etc/apps/ssl_checker/bin$ cat ../local/ssl.conf

[SSLConfiguration]

disabled = 0

certPaths = /cribl/local/cribl/auth/server.pem

 

splunk@ultra:~/etc/apps/ssl_checker/bin$ cat ../local/inputs.conf

[script://./bin/ssl_checker2.py]

disabled = 0

 

[script://./bin/ssl_checker3.py]

disabled = 0

splunk@ultra:~/etc/apps/ssl_checker/bin$

 

So the problem seems to be with script ”ssl_checker2.py” and the error: “'str' object has no attribute 'decode'”

Do you have an idea, what could go wrong and how we could track that down? Your help would be really appreciated.

Kind Regards

Thilo

Labels (1)
1 Solution

tke_lc_2
Engager

Since there was no reply, we simply added a scripted input to workaround this. It works as expected.

for cert in `grep certPaths /opt/splunkforwarder/etc/apps/ssl_checker/local/ssl.conf | cut -d "=" -f2 | cut -d "," -f 1-10`; do
expiry_date=`/usr/bin/openssl x509 -in $cert -noout -enddate | cut -d"=" -f2`
echo cert=\"$cert\" expires=\"$expiry_date\"
done

 

View solution in original post

Tags (1)
0 Karma

xraycgn
New Member

i changed

- from -

message = 'cert="' + sslPath + '" ' + dates.replace('=','="').replace('\n','"|').replace('|',' ')

- to -

message = 'cert="' + sslPath + '" ' + dates.replace('b\'','').replace('=','="').replace('\\n\'','"')

in ssl_checker3.py for version 4.0.2 to get rid of outputs like:

cert="/opt/splunk/etc/auth/appsCA.pem" b'expires="Jan 28 12:00:00 2028 GMT\n'

 

 

0 Karma

tke_lc_2
Engager

Since there was no reply, we simply added a scripted input to workaround this. It works as expected.

for cert in `grep certPaths /opt/splunkforwarder/etc/apps/ssl_checker/local/ssl.conf | cut -d "=" -f2 | cut -d "," -f 1-10`; do
expiry_date=`/usr/bin/openssl x509 -in $cert -noout -enddate | cut -d"=" -f2`
echo cert=\"$cert\" expires=\"$expiry_date\"
done

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...