Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Changing default certificate

pdevosceazure
Path Finder
‎02-09-2017 07:29 AM

I am trying to get my own CA cert for my instance of Splunk web.
I followed this:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb
this gives me 4 files in my home dir.
pk.pem : private key,
mycert.pem : My cert as given by CA
chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem

I verify with openssl than chain.pem and mycert.pen returns ok.

then i went to
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate
"mySplunkWebCertificate.pem" it does not say if that's just mycert or the fullchain.
which one should it be?
why are we asked to copy these files in auth/splunkweb while web.conf does not use them?
my web.conf looks like this:
[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = [/home/foo/certs/pk.pem]
serverCert = [/home/foo/certs/fullchain.pem]

(read [ ] as <> )
when I restart splunk it stays stuck on
Waiting for web server at https://127.0.0.1:443 to be available.

Tags (1)
0 Karma
Reply

jworthington_sp
Splunk Employee
Splunk Employee
‎02-09-2017 01:37 PM

Doh, I'm sorry, you are right. For CA-signed certificates you do need the chain. They need to be in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

so maybe the issue is the order in the chain?

I am thinking that if you have
"chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem"

Then I think this should give you an end result of
[ server certificate]
[ root certificate (if required) ]
[ intermediate certificate]

So you might try troubleshooting by changing that order to the first example see if it helps. It seems odd that your certs would check out okay but not work, but SplunkWeb cert configs can be surprisingly touchy. (Oh, and also make sure you are using the version of OpenSSL provided with Splunk!)

Hope this is a little more helpful.

Cheers,
jen

Reply

pdevosceazure
Path Finder
‎02-12-2017 01:13 PM

Could not get it working. However replacing cert.pem and privkey.pem directly in /opt/splunk/etc/auth/splunkweb with my fullchain.pem and my private key, renamed as original work OK.

0 Karma
Reply

jworthington_sp
Splunk Employee
Splunk Employee
‎02-09-2017 01:10 PM

Are you configuring this on 6.5 or later? The attributes for earlier versions are slightly different, so if you are by any chance working in an earlier version, the attributes above will not work.

For serverCert, I would change the value to your mycert.pem file.

0 Karma
Reply

pdevosceazure
Path Finder
‎02-09-2017 01:16 PM

Yes I am on 6.5 but if I use mycert how does splunk know where the chain certificates are?
actually i tried all of them none work

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...