- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Updated server.conf cert, fixed 8088 TLS, but brok...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated server.conf cert, fixed 8088 TLS, but broke web gui
We needed to install a vendor signed cert so that we could stream info to Splunk into a HTTP Event Collector.
So I make a csr with openssl, got a vendor cert, copied the private key+public cert+intermediate+root into a server.pem file, and added that and the password into server.conf.
sslPassword = xxxxx
serverCert = /opt/splunk/etc/auth/server.pem
enableSplunkdSSL = true
-ca was already there, I just left it.
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
Restarted.
The splunk HTTP event collector port was functional and had no errors starting up. We were able to verify that the cert appeared to be installed correctly. openssl s_client -connect localhost:8088 returned the cert no problem. Our streaming service was able to connect and gets a 200 OK back from Splunk.
However, now the web gui is broken. The user/pass prompt screen comes up, but after you login, it gives you a 500 error. Even in --debug mode, none of the logs in var/log/splunk say anything about the 500 error.
What might be the issue here? Does web.conf need to use the same cert I put into server.conf? Does the server.conf cert need to be trusted in a keystore somewhere?
thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. Well, at least one way to make it work.
Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui
inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, you can accept your own answer so that it will be helpful for other community member in future.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. Well, at least one way to make it work.
Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui
inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You need to provide your vendor intermediate and root cert in separate .pem file like externalCA.pem and point that cert in sslRootCAPath parameter in server.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@jwhitene,
You can refer this answer:
https://answers.splunk.com/answers/170065/why-am-i-getting-the-following-error-logging-into.html
Let me know if this helps!!
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
