I was hoping for some additional thoughts, after I updated my Search Head to use custom certs I started getting the following error:
ERROR IntrospectionGenerator:resource_usage - MongoDriver - mongoc: Cannot find certificate in ''
Running Splunk 7.2.3 on Linux
/opt/splunk/bin/splunk btool server list sslConfig [sslConfig] allowSslCompression = true allowSslRenegotiation = true caCertFile = $SPLUNK_HOME/etc/auth/mycacert.pem caPath = $SPLUNK_HOME/etc/auth certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert cipherSuite = AES256-GCM-SHA384 ecdhCurves = prime256v1, secp384r1, secp521r1 enableSplunkdSSL = true requireClientCert = false sendStrictTransportSecurityHeader = false serverCert = /opt/splunk/etc/auth/mycerts/.pem sslPassword = sslRootCAPath = /opt/splunk/etc/auth/mycerts/myca.pem sslVersions = tls1.2 sslVersionsForClient = tls1.2 useClientSSLCompression = true useSplunkdClientSSLCompression = true
I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.
Having the same problem and yes, on a STIG-ed machine. The error started when enabling FIPS mode, including new SSL certificate (generated w/FIPS enabled and using the "splunk cmd openssl" commands). Any recommendations?
For my issue I discovered I needed to create a [kvstore] stanza in server.conf for FIPS to work.
caCertFile = path
serverCert = path
sslPassword = password
While looking at your configuration, it looks like .pem file name is incorrect for
It should be like this
serverCert = /opt/splunk/etc/auth/mycerts/yourcert.pem
sslPassword = is blank, you need to provide your cert key password.
Thanks for your thoughts.
I apologize I was unclear. I purposefully omitted my serverCert name when I pasted the configures. I also changed my real password to the word password surrounded by carrots but it seems the XML on this form removed that.
SSL is working properly for sending and receiving data properly using my custom cert. I'm just not sure what I did to kill mongo DB
I did below configuration in my lab environment and it is working fine (Splunk 7.2.6)
[sslConfig] sslPassword = $7$blablabla== serverCert = /opt/splunk/etc/auth/mycert/server_combined.pem sslRootCAPath = /opt/splunk/etc/auth/mycert/CAcert.pem
server_combined.pem , below key and cert are present in given order
1.) server cert pem
2.) server cert key
3.) CA cert pem