Archive
Highlighted

Changing default certificate

Explorer

I am trying to get my own CA cert for my instance of Splunk web.
I followed this:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb
this gives me 4 files in my home dir.
pk.pem : private key,
mycert.pem : My cert as given by CA
chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem

I verify with openssl than chain.pem and mycert.pen returns ok.

then i went to
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate
"mySplunkWebCertificate.pem" it does not say if that's just mycert or the fullchain.
which one should it be?
why are we asked to copy these files in auth/splunkweb while web.conf does not use them?
my web.conf looks like this:
[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = [/home/foo/certs/pk.pem]
serverCert = [/home/foo/certs/fullchain.pem]

(read [ ] as <> )
when I restart splunk it stays stuck on
Waiting for web server at https://127.0.0.1:443 to be available.

Tags (1)
0 Karma
Highlighted

Re: Changing default certificate

Path Finder

Are you configuring this on 6.5 or later? The attributes for earlier versions are slightly different, so if you are by any chance working in an earlier version, the attributes above will not work.

For serverCert, I would change the value to your mycert.pem file.

0 Karma
Highlighted

Re: Changing default certificate

Explorer

Yes I am on 6.5 but if I use mycert how does splunk know where the chain certificates are?
actually i tried all of them none work

0 Karma
Highlighted

Re: Changing default certificate

Path Finder

Doh, I'm sorry, you are right. For CA-signed certificates you do need the chain. They need to be in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

so maybe the issue is the order in the chain?

I am thinking that if you have
"chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem"

Then I think this should give you an end result of
[ server certificate]
[ root certificate (if required) ]
[ intermediate certificate]

So you might try troubleshooting by changing that order to the first example see if it helps. It seems odd that your certs would check out okay but not work, but SplunkWeb cert configs can be surprisingly touchy. (Oh, and also make sure you are using the version of OpenSSL provided with Splunk!)

Hope this is a little more helpful.

Cheers,
jen

Highlighted

Re: Changing default certificate

Explorer

Could not get it working. However replacing cert.pem and privkey.pem directly in /opt/splunk/etc/auth/splunkweb with my fullchain.pem and my private key, renamed as original work OK.

0 Karma