Following the instructions to "Troubleshoot the Splunk Add-on for Tenable" at https://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot I copied the PEM file from Firefox (with its default .crt extension) over to $SPLUNK_HOME/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/ and renamed it to cacerts.txt. I'm still getting the same error. One of the forums suggested exporting from Firefox 'with chain', so I tried that as well and it failed. Restarting Splunk each time still did not fix the problem. This is a single standalone Splunk installation. Any thoughts? Thanks.
If you have just upgraded from 5.1.1 - to 5.1.2 the certifcate behaviour has changed, and whilst you 'can' to do this - this does not mean that its a good idea.
In 5.1.1 you would get a warning message in tenable:sc:log advising you that the cert (chain) is not valid.
In 5.1,2 this is a hard stop, and collection will not occur.
To restore the 5.1.1 functionality
edit (create) $SPLUNK_HOME/Splunk_TA_nessus/local/nessus.conf
and add:
[tenable_sc_settings]
disable_ssl_certificate_validation = 1
restart your heavy forwarder.
Its worth checking what firefox thinks of the Cert state?
If the cert is self signed, then exporting the cert and chain should do the job for you, however, if the certificate on SC has expired then you will need a date valid cert first, and then export the cert.
Hi, Nick*.
Thanks for responding. Firefox thinks it's ok. That's where I started: connecting to SC, then exporting the chain. The directions implied that I simply copy the file into the proper directory and rename it, but if they mean something other than that please let me know.
If you have just upgraded from 5.1.1 - to 5.1.2 the certifcate behaviour has changed, and whilst you 'can' to do this - this does not mean that its a good idea.
In 5.1.1 you would get a warning message in tenable:sc:log advising you that the cert (chain) is not valid.
In 5.1,2 this is a hard stop, and collection will not occur.
To restore the 5.1.1 functionality
edit (create) $SPLUNK_HOME/Splunk_TA_nessus/local/nessus.conf
and add:
[tenable_sc_settings]
disable_ssl_certificate_validation = 1
restart your heavy forwarder.
I'm having trouble with this on a fresh install of 5.1.2, too. We run our own RootCA, and I've tried adding the root and intermediate (and certificate) to no avail. Tried creating the nessus.conf file, but still get a cert warning and no data.
Anybody have other ideas?
Nevermind. Stupid hidden file extensions on Windows...
hi all,i tried above all steps but same ssl certificate error still present,my security center v is 5.6.1
@nagendra0911,
try adding below to inputs.conf in local folder.
disable_ssl_certificate_validation = true
Hello again Nick*.
I tried your second approach and it is working. Thanks so much!
BTW, on Windows, the path for nessus.conf is C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\local\nessus.conf.
I haven't sniffed the wire yet to see if traffic is NOT encrypted as a result of this tweak, but will check tomorrow. Thanks again.
It will still be SSL traffic, but Splunk will just ignore the certificate trust warning, and proceed as if the cert was verified as valid.