All Apps and Add-ons

" Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ?

MarkSplunker
Explorer

Following the instructions to "Troubleshoot the Splunk Add-on for Tenable" at https://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot I copied the PEM file from Firefox (with its default .crt extension) over to $SPLUNK_HOME/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/ and renamed it to cacerts.txt. I'm still getting the same error. One of the forums suggested exporting from Firefox 'with chain', so I tried that as well and it failed. Restarting Splunk each time still did not fix the problem. This is a single standalone Splunk installation. Any thoughts? Thanks.

Tags (1)
1 Solution

nickhills
Ultra Champion

If you have just upgraded from 5.1.1 - to 5.1.2 the certifcate behaviour has changed, and whilst you 'can' to do this - this does not mean that its a good idea.

In 5.1.1 you would get a warning message in tenable:sc:log advising you that the cert (chain) is not valid.
In 5.1,2 this is a hard stop, and collection will not occur.

To restore the 5.1.1 functionality

edit (create) $SPLUNK_HOME/Splunk_TA_nessus/local/nessus.conf and add:

[tenable_sc_settings]
disable_ssl_certificate_validation = 1

restart your heavy forwarder.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Its worth checking what firefox thinks of the Cert state?

If the cert is self signed, then exporting the cert and chain should do the job for you, however, if the certificate on SC has expired then you will need a date valid cert first, and then export the cert.

If my comment helps, please give it a thumbs up!
0 Karma

MarkSplunker
Explorer

Hi, Nick*.

Thanks for responding. Firefox thinks it's ok. That's where I started: connecting to SC, then exporting the chain. The directions implied that I simply copy the file into the proper directory and rename it, but if they mean something other than that please let me know.

0 Karma

nickhills
Ultra Champion

If you have just upgraded from 5.1.1 - to 5.1.2 the certifcate behaviour has changed, and whilst you 'can' to do this - this does not mean that its a good idea.

In 5.1.1 you would get a warning message in tenable:sc:log advising you that the cert (chain) is not valid.
In 5.1,2 this is a hard stop, and collection will not occur.

To restore the 5.1.1 functionality

edit (create) $SPLUNK_HOME/Splunk_TA_nessus/local/nessus.conf and add:

[tenable_sc_settings]
disable_ssl_certificate_validation = 1

restart your heavy forwarder.

If my comment helps, please give it a thumbs up!

View solution in original post

jim_mulder_CI
Explorer

I'm having trouble with this on a fresh install of 5.1.2, too. We run our own RootCA, and I've tried adding the root and intermediate (and certificate) to no avail. Tried creating the nessus.conf file, but still get a cert warning and no data.

Anybody have other ideas?

0 Karma

jim_mulder_CI
Explorer

Nevermind. Stupid hidden file extensions on Windows...

0 Karma

nagendra0911
New Member

hi all,i tried above all steps but same ssl certificate error still present,my security center v is 5.6.1

0 Karma

thambisetty
Super Champion

@nagendra0911,
try adding below to inputs.conf in local folder.
disable_ssl_certificate_validation = true

————————————
If this helps, give a like below.
0 Karma

MarkSplunker
Explorer

Hello again Nick*.

I tried your second approach and it is working. Thanks so much!
BTW, on Windows, the path for nessus.conf is C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\local\nessus.conf.

I haven't sniffed the wire yet to see if traffic is NOT encrypted as a result of this tweak, but will check tomorrow. Thanks again.

0 Karma

nickhills
Ultra Champion

It will still be SSL traffic, but Splunk will just ignore the certificate trust warning, and proceed as if the cert was verified as valid.

If my comment helps, please give it a thumbs up!
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!