Deployment Architecture

SSL configuration causing Mongo issues

sparrowe
Explorer

Hello,

I was hoping for some additional thoughts, after I updated my Search Head to use custom certs I started getting the following error:

ERROR IntrospectionGenerator:resource_usage -  MongoDriver - mongoc: Cannot find certificate in ''

Running Splunk 7.2.3 on Linux

/opt/splunk/bin/splunk btool server list sslConfig
[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/mycacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
requireClientCert = false
sendStrictTransportSecurityHeader = false
serverCert = /opt/splunk/etc/auth/mycerts/.pem
sslPassword = 
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myca.pem
sslVersions = tls1.2
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

esalesapns2
Communicator

I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.

0 Karma

Andrew_Callan
Explorer

Are you running this on a STIG-ed machine by any chance?

0 Karma

jsmithn
Path Finder

Having the same problem and yes, on a STIG-ed machine. The error started when enabling FIPS mode, including new SSL certificate (generated w/FIPS enabled and using the "splunk cmd openssl" commands). Any recommendations?

0 Karma

jsmithn
Path Finder

For my issue I discovered I needed to create a [kvstore] stanza in server.conf for FIPS to work.

[kvstore]
caCertFile = path
serverCert = path
sslPassword = password

Tags (1)

Andrew_Callan
Explorer

@jsmithn has it right, this is what I had to do to fix it also.

harsmarvania57
Ultra Champion

Hi,

While looking at your configuration, it looks like .pem file name is incorrect for serverCert

It should be like this
serverCert = /opt/splunk/etc/auth/mycerts/yourcert.pem

Also sslPassword = is blank, you need to provide your cert key password.

0 Karma

sparrowe
Explorer

Thanks for your thoughts.

I apologize I was unclear. I purposefully omitted my serverCert name when I pasted the configures. I also changed my real password to the word password surrounded by carrots but it seems the XML on this form removed that.

SSL is working properly for sending and receiving data properly using my custom cert. I'm just not sure what I did to kill mongo DB

0 Karma

harsmarvania57
Ultra Champion

I did below configuration in my lab environment and it is working fine (Splunk 7.2.6)

server.conf

[sslConfig]
sslPassword = $7$blablabla==
serverCert = /opt/splunk/etc/auth/mycert/server_combined.pem
sslRootCAPath = /opt/splunk/etc/auth/mycert/CAcert.pem

In server_combined.pem , below key and cert are present in given order

1.) server cert pem
2.) server cert key
3.) CA cert pem

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...