All Apps and Add-ons

Why am I now getting "SSL configuration issue: invalid CA public key file" from Splunk Supporting Add-on for Active Directory after upgrading ?

scottrunyon
Contributor

After upgrading from Splunk Enterprise 6.4.3 to 6.5.0, the ldapsearch in Splunk Supporting Add-on for Active Directory (2.1.3) is now getting the error - "SSL configuration issue: invalid CA public key file". Searches worked before the upgrade.

1 Solution

jmaple
Communicator

This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?

sslRootCAPath = 
* Full path to the operating system's root CA (Certificate Authority)
  certificate store.
* The  must refer to a PEM format file containing one or more root CA
  certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
  evaluation. Splunk does not support using the product in Common
  Criteria mode until it has been certified by NIAP. See the "Securing
  Splunk Enterprise" manual for information on the status of Common
  Criteria certification.
* This setting is not used on Windows.
* Default is unset.'

caCertFile = 
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
  certificate PEM format file containing one or more certificates concatenated
  together.
* Default is cacert.pem.'

View solution in original post

reswob4
Builder

I fixed this by turning off the SSL connection to the Domain Controller.

My next task is to figure out what changed with the DC certificate and get that updated.

I have Splunk Supporting Add-on for Active Directory 2.1.3, but I found the answer in the docs for version 1.2.2

From http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/ConfiguretheSA-ldapsearchsupport...

Whether or not SA-ldapsearch should attempt to connect to the GC server using Secure Sockets Layer (SSL). Set to true to connect with SSL and false to connect without SSL.

Important: If you specify true for this attribute, then the GC server you specify must have a valid SSL certificate installed. For additional information, review "How to enable LDAP over SSL with a third-party certification authority" (http://support.microsoft.com/kb/321051) and "How to troubleshoot LDAP over SSL connection problems" (http://support.microsoft.com/kb/938703) on Microsoft's support site. Defaults to false.
0 Karma

reswob4
Builder

I'm glad that solution worked for you. Unfortunately, it did not work for me.

The docs for the add-on (http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.3/User/ConfiguretheSplunkSupportingAdd-onforA...) say ssl.conf should be in $SPLUNK_HOME/etc/apps/SA-ldapsearch/local.

So here is the ssl.conf file I created:

[sslconfig]
sslVersions = tls
caCertFile=/opt/splunk/etc/auth/cacert.pem

I then re-enabled SSL to the DC.

But after I restarted Splunk, with the ssl.conf in the $SPLUNK_HOME/etc/apps/SA-ldapsearch/local folder, I get the original error. If I put ssl.conf in the location suggested by tech support, I get the following errors on restart:

Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 2: sslVersions  (value:  tls).
Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 3: caCertFile (value: /opt/splunk/etc/auth/cacert.pem).

AND I still get the original error.

So I guess I'm going to have to open my own ticket.

0 Karma

aliakseidzianis
Path Finder

Don't put a full path on the CertFile. This worked for me:

[sslConfig]
sslVersions = tls
caCertFile = cacert.pem

FYI: support also said that it is there by default in v2.1.4 of the SA-ldapsearch app. So if it does not work for you, you may try upgrading.

0 Karma

jreuter_splunk
Splunk Employee
Splunk Employee

sslConfig is case sensitive.

0 Karma

memarshall63
Communicator

My situation with this error:

I had established my own certs (including a CACert.pem file) and placed them in a folder:

/opt/splunk/etc/auth/my_certs

... and everything worked fine, except for ldap-search it was complaining of an 'invalid CA public key file'

in the SA-ldapsearch/default folder is the file ssl.conf with an entry:

[sslConfig]

sslVersions = tls

caCertFile = cacert.pm

 

Well.. because my CA cert was named "CACert.pem" -- the add-on couldn't find it.

I copied my CACert.pem to 'cacert.pem' -- and everything worked well again.

 


@jreuter_splunk wrote:

sslConfig is case sensitive.


Indeed it is.   

 

Good luck.

 

 

0 Karma

jmaple
Communicator

This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?

sslRootCAPath = 
* Full path to the operating system's root CA (Certificate Authority)
  certificate store.
* The  must refer to a PEM format file containing one or more root CA
  certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
  evaluation. Splunk does not support using the product in Common
  Criteria mode until it has been certified by NIAP. See the "Securing
  Splunk Enterprise" manual for information on the status of Common
  Criteria certification.
* This setting is not used on Windows.
* Default is unset.'

caCertFile = 
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
  certificate PEM format file containing one or more certificates concatenated
  together.
* Default is cacert.pem.'

scottrunyon
Contributor

I am running on Windows Server, is this still valid?

0 Karma

jmaple
Communicator

Because the documentation doesn't give a Windows alternative, I believe it's your best bet to give a try and see if it gets fixed. Otherwise I'd open a ticket with Splunk support.

0 Karma

scottrunyon
Contributor

I opened a ticket with with support. To resolve my issue i added a ssl.conf to \etc\system\local.

ssl.conf contained -

[sslConfig]

sslVersions = tls
caCertFile = E:\Splunk\etc\auth\cacert.pem

Note - entire path was needed to get it to see the cert.

dewald13
Path Finder

This also worked for me...just added the below in the local ssl.conf;

caCertFile = E:\Splunk\etc\auth\cacert.pem

0 Karma

ttchorz
Path Finder

This also helped me solving the issue.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...