Getting Data In

secure splunk web with signed certificate

MAShawky
Explorer

I generate Key & csr files from my splunk machine
then got the signed certificate from .pem & root , sub certificates , i put them in on single file in order

-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----

also configured web.conf to be like below

[settings]
enableSplunkWebSSL = true
privKeyPath = C:\Program Files\Splunk\etc\auth\mycerts\mySplunkWebPrivateKey.key
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\mySplunkWebCert.pem

but after trying to restart splunk service
am waiting much time in starting web server process more than 10 min and i have to revert back my configuration to can access splunk GUI again
anyone can help ?

Tags (1)
0 Karma

hardikJsheth
Motivator

Can you confirm that you have put all the certificates in your .pem file?

Also can you check what error are you getting in Splunkd.log when you start your Splunk with this configurations?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Are you having the intermediate certificate?!?!

Troubleshoot your Splunk Web authentication
If you are unable to verify your certificate configuration, you can use the web_service.log in $SPLUNK_HOME/var/log/splunk to view and troubleshoot any errors that occur upon restart.

Look for SSL configuration warnings. For example, if you provide an incorrect path to the server certificate declared in serverCert, Splunk Web fails to start and the following error appears:

2010-12-21 16:25:02,804 ERROR [4d11455df3182e6710] root:442 - [Errno 2] No such file or directory: '/opt/splunk/share/splunk/mycerts/mySplunkWebCertificate.pem'
Note: If the private key is provided in privKeyPath is password protected, no error is provided but your browser won't load Splunk Web.

https://docs.splunk.com/Documentation/Splunk/7.0.0/Security/TroubleshootyourSplunkWebauthentication

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

MAShawky
Explorer

no warning in this file related to the certificate

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Are you having the intermediate certificate?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

MAShawky
Explorer

yes I have ca-root & ca-subcertificate & webserver certificate

0 Karma

koshyk
Super Champion

when you start Splunk, did it show error or just showing Splunk web starting?

Ensure,

privKeyPath
caCertPath
serverCert

are all reflected in btool output of web.conf

0 Karma

MAShawky
Explorer

which path can i write in CAcert as i have only one .pem file ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...