All Apps and Add-ons

Splunk Addon SSL Certificate Checker / non-splunk certs

tke_lc_2
Engager

Dear Michael (@jkat54),

we successfully use your Splunk Addon SSL Certificate Checker Version 4.0.2 with the internal Splunk Certificates. Thank you for sharing.

Now we had the idea also to check some external Certificates, means certs on same server but not splunk certs.

Unfortunately I don’t get this up and runnig.

I tried to run the commands manually (see results below).

ssl_checker3 worked

ssl_checker2 failed

I configured the location manually and through the UI. It seems a python module is missing, but I cannot find it. I run a fresh install of Splunk 8.1 on a Test System.

splunk@ultra:~/etc/apps/ssl_checker/bin$ python3 ssl_checker3.py cert="/opt/splunk/etc/auth/cacert.pem" b'expires="Jan 28 20:26:54 2027 GMT\n'

cert="/opt/splunk/etc/auth/appsCA.pem" b'expires="Jan 28 12:00:00 2028 GMT\n'

cert="/opt/splunk/etc/auth/appsLicenseCA.pem" b'expires="Mar  8 12:00:00 2023 GMT\n'

cert="/opt/splunk/etc/auth/server.pem" b'expires="Nov  5 12:20:38 2023 GMT\n'

cert="/opt/splunk/etc/auth/splunkweb/cert.pem" b'expires="Nov  5 12:20:40 2023 GMT\n'

 

So if python is installed in the system, we can also use the app on UF. Thats fine! 😉

 

splunk@ultra:~/etc/apps/ssl_checker/bin$ python3 ssl_checker2.py Traceback (most recent call last):

  File "ssl_checker2.py", line 19, in <module>

    import splunk.mining.dcutils as dcu

ModuleNotFoundError: No module named 'splunk'

Okay, the splunk python modules are missing. When I run with the splunk internal python it shows me the following.

splunk@ultra:~/etc/apps/ssl_checker/bin$ /opt/splunk/bin/python3 ssl_checker2.py 'str' object has no attribute 'decode'

The config Files look like this:

splunk@ultra:~/etc/apps/ssl_checker/bin$ cat ../local/ssl.conf

[SSLConfiguration]

disabled = 0

certPaths = /cribl/local/cribl/auth/server.pem

 

splunk@ultra:~/etc/apps/ssl_checker/bin$ cat ../local/inputs.conf

[script://./bin/ssl_checker2.py]

disabled = 0

 

[script://./bin/ssl_checker3.py]

disabled = 0

splunk@ultra:~/etc/apps/ssl_checker/bin$

 

So the problem seems to be with script ”ssl_checker2.py” and the error: “'str' object has no attribute 'decode'”

Do you have an idea, what could go wrong and how we could track that down? Your help would be really appreciated.

Kind Regards

Thilo

Labels (1)
1 Solution

tke_lc_2
Engager

Since there was no reply, we simply added a scripted input to workaround this. It works as expected.

for cert in `grep certPaths /opt/splunkforwarder/etc/apps/ssl_checker/local/ssl.conf | cut -d "=" -f2 | cut -d "," -f 1-10`; do
expiry_date=`/usr/bin/openssl x509 -in $cert -noout -enddate | cut -d"=" -f2`
echo cert=\"$cert\" expires=\"$expiry_date\"
done

 

View solution in original post

Tags (1)
0 Karma

xraycgn
New Member

i changed

- from -

message = 'cert="' + sslPath + '" ' + dates.replace('=','="').replace('\n','"|').replace('|',' ')

- to -

message = 'cert="' + sslPath + '" ' + dates.replace('b\'','').replace('=','="').replace('\\n\'','"')

in ssl_checker3.py for version 4.0.2 to get rid of outputs like:

cert="/opt/splunk/etc/auth/appsCA.pem" b'expires="Jan 28 12:00:00 2028 GMT\n'

 

 

0 Karma

tke_lc_2
Engager

Since there was no reply, we simply added a scripted input to workaround this. It works as expected.

for cert in `grep certPaths /opt/splunkforwarder/etc/apps/ssl_checker/local/ssl.conf | cut -d "=" -f2 | cut -d "," -f 1-10`; do
expiry_date=`/usr/bin/openssl x509 -in $cert -noout -enddate | cut -d"=" -f2`
echo cert=\"$cert\" expires=\"$expiry_date\"
done

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...