Hello, after 2 days of trying hard on this problem, I finally give up and now I am posting it here.
Well, I need to set up my Splunk REST API with my own self-signed certificates. I've already configured the usage of my own self-signed certificates for SplunkWeb, but I'm stuck on the configuration for the REST API 8089 Port.
Here's the problem :
I've already generated my own server certificates thanks to the Splunk docs :
located in /Application/Splunk/etc/auth/myNewCerts
Here's my configuration file server.conf in /Applications/Splunk/etc/system/local
When I run commands to verify the matches between my certs and my keys, they match and when I start Splunk everything looks ok.
But when I check the log file at /Applications/Splunk/var/log/splunk/splunkd.log :
$ tail -f splunkd.log | grep ERR 04-25-2018 16:42:50.272 +0200 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py" ERROR:InstrumentationInit:[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676) 04-25-2018 16:42:52.779 +0200 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/splunk_monitoring_console/bin/dmc_config.py" Socket error communicating with splunkd (error=[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:2768)), path = /services/shcluster/config?output_mode=json openssl version : OpenSSL 1.0.2o 27 Mar 2018 OS version : macOS Sierra Version 10.12.6 (16G29) Python version : Python 2.7.14
Sorry for my bad English, waiting for help.
When i set the option "requireClientCert = false" instead of true, i can connect myself on the 8089 interface (https://localhost:8089) with my own certificate added on my computer. Then when i try to connect to "https://[myip]:8089" with another computer on the same local network, it request a valid certificate that the computer hasnt, so it cant connect
. But the splunkweb interface is still accesible via "https://[myi p]:8000" from any other computer.
I dont know how its works ??
Hi. Why would you try to add a self signed cert... when splunkd already has its own self signed cert....
What are you trying to acces in the splunkd?
If splunkweb is working, splunkd (RestApi) is already working.
I suggest you to see rest Api uri qick-reference.
If you want to acces from browser you need to acces a rest endpoint with rest method available, and tell to the browser to go ahead when promted the self signed cert warning
here an example:
NOTE the https part since there is not an automatic redirec
In order to avoid the request of a valid certificate... in every computer get rid of the self-signed cert and get a trusted SSL certificate, you can create your free trusted cert with Let's Encrypt
Link Above is How-to to secure splunkWeb.... I don´t now how to add it to splunkd... I would like to know ... that's why I got here...