After upgrading from Splunk Enterprise 6.4.3 to 6.5.0, the ldapsearch in Splunk Supporting Add-on for Active Directory (2.1.3) is now getting the error - "SSL configuration issue: invalid CA public key file". Searches worked before the upgrade.
This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?
sslRootCAPath =
* Full path to the operating system's root CA (Certificate Authority)
certificate store.
* The must refer to a PEM format file containing one or more root CA
certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
evaluation. Splunk does not support using the product in Common
Criteria mode until it has been certified by NIAP. See the "Securing
Splunk Enterprise" manual for information on the status of Common
Criteria certification.
* This setting is not used on Windows.
* Default is unset.'
caCertFile =
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
certificate PEM format file containing one or more certificates concatenated
together.
* Default is cacert.pem.'
I fixed this by turning off the SSL connection to the Domain Controller.
My next task is to figure out what changed with the DC certificate and get that updated.
I have Splunk Supporting Add-on for Active Directory 2.1.3, but I found the answer in the docs for version 1.2.2
Whether or not SA-ldapsearch should attempt to connect to the GC server using Secure Sockets Layer (SSL). Set to true to connect with SSL and false to connect without SSL.
Important: If you specify true for this attribute, then the GC server you specify must have a valid SSL certificate installed. For additional information, review "How to enable LDAP over SSL with a third-party certification authority" (http://support.microsoft.com/kb/321051) and "How to troubleshoot LDAP over SSL connection problems" (http://support.microsoft.com/kb/938703) on Microsoft's support site. Defaults to false.
I'm glad that solution worked for you. Unfortunately, it did not work for me.
The docs for the add-on (http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.3/User/ConfiguretheSplunkSupportingAdd-onforA...) say ssl.conf should be in $SPLUNK_HOME/etc/apps/SA-ldapsearch/local.
So here is the ssl.conf file I created:
[sslconfig]
sslVersions = tls
caCertFile=/opt/splunk/etc/auth/cacert.pem
I then re-enabled SSL to the DC.
But after I restarted Splunk, with the ssl.conf in the $SPLUNK_HOME/etc/apps/SA-ldapsearch/local folder, I get the original error. If I put ssl.conf in the location suggested by tech support, I get the following errors on restart:
Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 2: sslVersions (value: tls).
Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 3: caCertFile (value: /opt/splunk/etc/auth/cacert.pem).
AND I still get the original error.
So I guess I'm going to have to open my own ticket.
Don't put a full path on the CertFile. This worked for me:
[sslConfig]
sslVersions = tls
caCertFile = cacert.pem
FYI: support also said that it is there by default in v2.1.4 of the SA-ldapsearch app. So if it does not work for you, you may try upgrading.
sslConfig
is case sensitive.
My situation with this error:
I had established my own certs (including a CACert.pem file) and placed them in a folder:
/opt/splunk/etc/auth/my_certs
... and everything worked fine, except for ldap-search it was complaining of an 'invalid CA public key file'
in the SA-ldapsearch/default folder is the file ssl.conf with an entry:
[sslConfig]
sslVersions = tls
caCertFile = cacert.pm
Well.. because my CA cert was named "CACert.pem" -- the add-on couldn't find it.
I copied my CACert.pem to 'cacert.pem' -- and everything worked well again.
@jreuter_splunk wrote:sslConfig is case sensitive.
Indeed it is.
Good luck.
This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?
sslRootCAPath =
* Full path to the operating system's root CA (Certificate Authority)
certificate store.
* The must refer to a PEM format file containing one or more root CA
certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
evaluation. Splunk does not support using the product in Common
Criteria mode until it has been certified by NIAP. See the "Securing
Splunk Enterprise" manual for information on the status of Common
Criteria certification.
* This setting is not used on Windows.
* Default is unset.'
caCertFile =
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
certificate PEM format file containing one or more certificates concatenated
together.
* Default is cacert.pem.'
I am running on Windows Server, is this still valid?
Because the documentation doesn't give a Windows alternative, I believe it's your best bet to give a try and see if it gets fixed. Otherwise I'd open a ticket with Splunk support.
I opened a ticket with with support. To resolve my issue i added a ssl.conf to \etc\system\local.
ssl.conf contained -
[sslConfig]
sslVersions = tls
caCertFile = E:\Splunk\etc\auth\cacert.pem
Note - entire path was needed to get it to see the cert.
This also worked for me...just added the below in the local ssl.conf;
caCertFile = E:\Splunk\etc\auth\cacert.pem
This also helped me solving the issue.