Getting Data In

Certificate

venkateshparank
Path Finder

When i try to access server through 8089 where Forwarder is installed, i am seeing Invalid certificate.

"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

How can i install self certification for 8089 port.

Labels (1)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is this Universal Forwarder or Heavy Forwarder ? If it is UF then do you really need to access management port 8089 via browser ? In most of the cases we disable management port on UF.

0 Karma

venkateshparank
Path Finder

This is for UF. Usually we dont need to access management port 8089 via browser. I have disabled the HTTP port as well.

But our management wants to have it open and install self generated certificate.

Please suggest.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You need to configure server.conf on UF with your self generated certificate. If you are using Deployment Server to for UF configuration then there might be possibility that once you implement certificate on UF, connectivity will break between UF and Deployment Server.

server.conf

 

[sslConfig]

enableSplunkdSSL = true

serverCert =  The full path to the PEM format server certificate file. Default certificates 
($SPLUNK_HOME/etc/auth/server.pem) are generated by Splunk at start. To secure Splunk, 
you should replace the default cert with your own PEM file.

sslPassword = your_password

sslRootCAPath = absolute path to the operating system's root CA (Certificate Authority) PEM 
format file containing one or more root CA. Do not configure this attribute on Windows.

 

 

0 Karma

venkateshparank
Path Finder

I placed .pem file under C:\Program Files\SplunkUniversalForwarder\etc\auth\

and added below in server.conf under C:\Program Files\SplunkUniversalForwarder\etc\system\local

[sslConfig]
enableSplunkdSSL = true
serverCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\ufcert.pem

 

When i try restart UF, the service is not starting. it starts and stops quickly.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Does your cert key encrypted ? If yes then you need to configure sslPassword in server.conf

0 Karma

venkateshparank
Path Finder

I see below error when i manually try to decrypt, i got below error:

No bootstrap configuration available for: \etc
Invalid setting for server.conf/[general]/legacyCiphers
Failed to write splunk.secret '\etc\auth\splunk.secret' file. errno=The handle i
s invalid.
File stat cannot be obtained on \etc\auth\splunk.secret.
Unable to get file status for mod-time on file \etc\auth\splunk.secret
error:00000000:lib(0):func(0):reason(0)
AES-GCM Decryption failed!

 

Splunkd.log:

08-21-2020 07:37:30.442 -0700 ERROR loader - win-service: Error running pre-flight-checks (_pclose returned 4).
08-21-2020 07:37:30.442 -0700 ERROR loader - win-service: Here is the output from running pre-flight-checks:
08-21-2020 07:37:30.442 -0700 ERROR loader - error:00000000:lib(0):func(0):reason(0)
08-21-2020 07:37:30.442 -0700 ERROR loader - AES-GCM Decryption failed!
08-21-2020 07:37:30.442 -0700 ERROR loader - Decryption operation failed: AES-GCM Decryption failed!
08-21-2020 07:37:30.442 -0700 ERROR loader - The certificate generation script did not generate the expected certificate file:C:\%ProgramFiles%\SplunkUniversalForwarder\etc\auth\ufcert.pem. Splunkd port communication will not work.
08-21-2020 07:37:30.442 -0700 ERROR loader - SSL certificate generation failed.
08-21-2020 07:37:30.442 -0700 ERROR loader - <<<<< EOF (pre-flight-checks)
Decryption operation failed: AES-GCM Decryption failed!
Decryption operation failed: AES-GCM Decryption failed!

0 Karma

venkateshparank
Path Finder

I reset SSL password, now i see below error only:

The certificate generation script did not generate the expected certificate file:C:\%ProgramFiles%\SplunkUniversalForwarder\etc\auth\ufcert.pem. Splunkd port communication will not work.
08-21-2020 08:13:53.406 -0700 ERROR loader - SSL certificate generation failed.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Looks like ufcert.pem permission issue, splunk should not generate that certificate.

0 Karma