All Apps and Add-ons

Why am I now getting "SSL configuration issue: invalid CA public key file" from Splunk Supporting Add-on for Active Directory after upgrading ?

Contributor

After upgrading from Splunk Enterprise 6.4.3 to 6.5.0, the ldapsearch in Splunk Supporting Add-on for Active Directory (2.1.3) is now getting the error - "SSL configuration issue: invalid CA public key file". Searches worked before the upgrade.

1 Solution

Communicator

This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?

sslRootCAPath = 
* Full path to the operating system's root CA (Certificate Authority)
  certificate store.
* The  must refer to a PEM format file containing one or more root CA
  certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
  evaluation. Splunk does not support using the product in Common
  Criteria mode until it has been certified by NIAP. See the "Securing
  Splunk Enterprise" manual for information on the status of Common
  Criteria certification.
* This setting is not used on Windows.
* Default is unset.'

caCertFile = 
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
  certificate PEM format file containing one or more certificates concatenated
  together.
* Default is cacert.pem.'

View solution in original post

Builder

I fixed this by turning off the SSL connection to the Domain Controller.

My next task is to figure out what changed with the DC certificate and get that updated.

I have Splunk Supporting Add-on for Active Directory 2.1.3, but I found the answer in the docs for version 1.2.2

From http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/ConfiguretheSA-ldapsearchsupport...

Whether or not SA-ldapsearch should attempt to connect to the GC server using Secure Sockets Layer (SSL). Set to true to connect with SSL and false to connect without SSL.

Important: If you specify true for this attribute, then the GC server you specify must have a valid SSL certificate installed. For additional information, review "How to enable LDAP over SSL with a third-party certification authority" (http://support.microsoft.com/kb/321051) and "How to troubleshoot LDAP over SSL connection problems" (http://support.microsoft.com/kb/938703) on Microsoft's support site. Defaults to false.
0 Karma

Builder

I'm glad that solution worked for you. Unfortunately, it did not work for me.

The docs for the add-on (http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.3/User/ConfiguretheSplunkSupportingAdd-onforA...) say ssl.conf should be in $SPLUNK_HOME/etc/apps/SA-ldapsearch/local.

So here is the ssl.conf file I created:

[sslconfig]
sslVersions = tls
caCertFile=/opt/splunk/etc/auth/cacert.pem

I then re-enabled SSL to the DC.

But after I restarted Splunk, with the ssl.conf in the $SPLUNK_HOME/etc/apps/SA-ldapsearch/local folder, I get the original error. If I put ssl.conf in the location suggested by tech support, I get the following errors on restart:

Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 2: sslVersions  (value:  tls).
Invalid key in stanza [sslconfig] in /opt/splunk/etc/system/local/ssl.conf, line 3: caCertFile (value: /opt/splunk/etc/auth/cacert.pem).

AND I still get the original error.

So I guess I'm going to have to open my own ticket.

0 Karma

Path Finder

Don't put a full path on the CertFile. This worked for me:

[sslConfig]
sslVersions = tls
caCertFile = cacert.pem

FYI: support also said that it is there by default in v2.1.4 of the SA-ldapsearch app. So if it does not work for you, you may try upgrading.

0 Karma

Splunk Employee
Splunk Employee

sslConfig is case sensitive.

0 Karma

Communicator

This is likely due to the way that Splunk changed the SSL key-value pairs in version 6.5.0. Did you update your local server.conf and ssl.conf configurations with the new SSL stanzas?

sslRootCAPath = 
* Full path to the operating system's root CA (Certificate Authority)
  certificate store.
* The  must refer to a PEM format file containing one or more root CA
  certificates concatenated together.
* Required for Common Criteria.
* NOTE: Splunk plans to submit Splunk Enterprise for Common Criteria
  evaluation. Splunk does not support using the product in Common
  Criteria mode until it has been certified by NIAP. See the "Securing
  Splunk Enterprise" manual for information on the status of Common
  Criteria certification.
* This setting is not used on Windows.
* Default is unset.'

caCertFile = 
'* DEPRECATED; use 'sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is unset.
* File name (relative to 'caPath') of the CA (Certificate Authority)
  certificate PEM format file containing one or more certificates concatenated
  together.
* Default is cacert.pem.'

View solution in original post

Contributor

I am running on Windows Server, is this still valid?

0 Karma

Communicator

Because the documentation doesn't give a Windows alternative, I believe it's your best bet to give a try and see if it gets fixed. Otherwise I'd open a ticket with Splunk support.

0 Karma

Contributor

I opened a ticket with with support. To resolve my issue i added a ssl.conf to \etc\system\local.

ssl.conf contained -

[sslConfig]

sslVersions = tls
caCertFile = E:\Splunk\etc\auth\cacert.pem

Note - entire path was needed to get it to see the cert.

Path Finder

This also worked for me...just added the below in the local ssl.conf;

caCertFile = E:\Splunk\etc\auth\cacert.pem

0 Karma

Path Finder

This also helped me solving the issue.

0 Karma