When i try to access server through 8089 where Forwarder is installed, i am seeing Invalid certificate.
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
How can i install self certification for 8089 port.
Is this Universal Forwarder or Heavy Forwarder ? If it is UF then do you really need to access management port 8089 via browser ? In most of the cases we disable management port on UF.
This is for UF. Usually we dont need to access management port 8089 via browser. I have disabled the HTTP port as well.
But our management wants to have it open and install self generated certificate.
Please suggest.
You need to configure server.conf on UF with your self generated certificate. If you are using Deployment Server to for UF configuration then there might be possibility that once you implement certificate on UF, connectivity will break between UF and Deployment Server.
server.conf
[sslConfig]
enableSplunkdSSL = true
serverCert = The full path to the PEM format server certificate file. Default certificates
($SPLUNK_HOME/etc/auth/server.pem) are generated by Splunk at start. To secure Splunk,
you should replace the default cert with your own PEM file.
sslPassword = your_password
sslRootCAPath = absolute path to the operating system's root CA (Certificate Authority) PEM
format file containing one or more root CA. Do not configure this attribute on Windows.
I placed .pem file under C:\Program Files\SplunkUniversalForwarder\etc\auth\
and added below in server.conf under C:\Program Files\SplunkUniversalForwarder\etc\system\local
[sslConfig]
enableSplunkdSSL = true
serverCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\ufcert.pem
When i try restart UF, the service is not starting. it starts and stops quickly.
Does your cert key encrypted ? If yes then you need to configure sslPassword in server.conf
I see below error when i manually try to decrypt, i got below error:
No bootstrap configuration available for: \etc
Invalid setting for server.conf/[general]/legacyCiphers
Failed to write splunk.secret '\etc\auth\splunk.secret' file. errno=The handle i
s invalid.
File stat cannot be obtained on \etc\auth\splunk.secret.
Unable to get file status for mod-time on file \etc\auth\splunk.secret
error:00000000:lib(0):func(0):reason(0)
AES-GCM Decryption failed!
Splunkd.log:
08-21-2020 07:37:30.442 -0700 ERROR loader - win-service: Error running pre-flight-checks (_pclose returned 4).
08-21-2020 07:37:30.442 -0700 ERROR loader - win-service: Here is the output from running pre-flight-checks:
08-21-2020 07:37:30.442 -0700 ERROR loader - error:00000000:lib(0):func(0):reason(0)
08-21-2020 07:37:30.442 -0700 ERROR loader - AES-GCM Decryption failed!
08-21-2020 07:37:30.442 -0700 ERROR loader - Decryption operation failed: AES-GCM Decryption failed!
08-21-2020 07:37:30.442 -0700 ERROR loader - The certificate generation script did not generate the expected certificate file:C:\%ProgramFiles%\SplunkUniversalForwarder\etc\auth\ufcert.pem. Splunkd port communication will not work.
08-21-2020 07:37:30.442 -0700 ERROR loader - SSL certificate generation failed.
08-21-2020 07:37:30.442 -0700 ERROR loader - <<<<< EOF (pre-flight-checks)
Decryption operation failed: AES-GCM Decryption failed!
Decryption operation failed: AES-GCM Decryption failed!
I reset SSL password, now i see below error only:
The certificate generation script did not generate the expected certificate file:C:\%ProgramFiles%\SplunkUniversalForwarder\etc\auth\ufcert.pem. Splunkd port communication will not work.
08-21-2020 08:13:53.406 -0700 ERROR loader - SSL certificate generation failed.
Looks like ufcert.pem permission issue, splunk should not generate that certificate.