Hello,
I was hoping for some additional thoughts, after I updated my Search Head to use custom certs I started getting the following error:
ERROR IntrospectionGenerator:resource_usage - MongoDriver - mongoc: Cannot find certificate in ''
Running Splunk 7.2.3 on Linux
/opt/splunk/bin/splunk btool server list sslConfig
[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/mycacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
requireClientCert = false
sendStrictTransportSecurityHeader = false
serverCert = /opt/splunk/etc/auth/mycerts/.pem
sslPassword =
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myca.pem
sslVersions = tls1.2
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true
I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.
Are you running this on a STIG-ed machine by any chance?
Having the same problem and yes, on a STIG-ed machine. The error started when enabling FIPS mode, including new SSL certificate (generated w/FIPS enabled and using the "splunk cmd openssl" commands). Any recommendations?
For my issue I discovered I needed to create a [kvstore] stanza in server.conf for FIPS to work.
[kvstore]
caCertFile = path
serverCert = path
sslPassword = password
@jsmithn has it right, this is what I had to do to fix it also.
Hi,
While looking at your configuration, it looks like .pem file name is incorrect for serverCert
It should be like this
serverCert = /opt/splunk/etc/auth/mycerts/yourcert.pem
Also sslPassword =
is blank, you need to provide your cert key password.
Thanks for your thoughts.
I apologize I was unclear. I purposefully omitted my serverCert name when I pasted the configures. I also changed my real password to the word password surrounded by carrots but it seems the XML on this form removed that.
SSL is working properly for sending and receiving data properly using my custom cert. I'm just not sure what I did to kill mongo DB
I did below configuration in my lab environment and it is working fine (Splunk 7.2.6)
server.conf
[sslConfig]
sslPassword = $7$blablabla==
serverCert = /opt/splunk/etc/auth/mycert/server_combined.pem
sslRootCAPath = /opt/splunk/etc/auth/mycert/CAcert.pem
In server_combined.pem
, below key and cert are present in given order
1.) server cert pem
2.) server cert key
3.) CA cert pem