Monitoring Splunk

Updated server.conf cert, fixed 8088 TLS, but broke web gui

New Member

We needed to install a vendor signed cert so that we could stream info to Splunk into a HTTP Event Collector.

So I make a csr with openssl, got a vendor cert, copied the private key+public cert+intermediate+root into a server.pem file, and added that and the password into server.conf.

sslPassword = xxxxx
serverCert = /opt/splunk/etc/auth/server.pem
enableSplunkdSSL = true
-ca was already there, I just left it.

sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

Restarted.

The splunk HTTP event collector port was functional and had no errors starting up. We were able to verify that the cert appeared to be installed correctly. openssl s_client -connect localhost:8088 returned the cert no problem. Our streaming service was able to connect and gets a 200 OK back from Splunk.

However, now the web gui is broken. The user/pass prompt screen comes up, but after you login, it gives you a 500 error. Even in --debug mode, none of the logs in var/log/splunk say anything about the 500 error.

What might be the issue here? Does web.conf need to use the same cert I put into server.conf? Does the server.conf cert need to be trusted in a keystore somewhere?

thanks.

Tags (3)
0 Karma

New Member

I figured it out. Well, at least one way to make it work.

Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui

inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem

0 Karma

SplunkTrust
SplunkTrust

Great, you can accept your own answer so that it will be helpful for other community member in future.

0 Karma

New Member

I figured it out. Well, at least one way to make it work.

Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui

inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem

0 Karma

SplunkTrust
SplunkTrust

Hi,

You need to provide your vendor intermediate and root cert in separate .pem file like externalCA.pem and point that cert in sslRootCAPath parameter in server.conf

0 Karma

Motivator

Hey@jwhitene,

You can refer this answer:
https://answers.splunk.com/answers/170065/why-am-i-getting-the-following-error-logging-into.html

Let me know if this helps!!

0 Karma