When configuring the Illumio TA it is failing to communicate to my Illumio server and errors about the certificate on the Illumio server. The Illumio product is installed with a valid Thwate certificate but Splunk is complaining about it when trying to configure the TA. Any thoughts as to why Splunk does not see the certificate as valid? I have tried loading the Thwate root cert and intermediate on the Splunk host OS, but it is still not working,
The Splunk setup is 6.6.4, running on Windows Server 2012.
2018-05-10 13:40:52,444 - Illumio_Get_Data - ERROR - Error Trace for failed workload request: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676) Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\TA-Illumio\bin\get_data.py", line 97, in get_workload r = requests.get(url +resource.get("orgs", "")+str(rest_help)+ resource.get("workload", ""), headers=headers, verify=cert_path) File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 55, in get return request('get', url, **kwargs) File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 44, in request return session.request(method=method, url=url, **kwargs) File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 456, in request resp = self.send(prep, **send_kwargs) File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 559, in send r = adapter.send(request, **kwargs) File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\adapters.py", line 382, in send raise SSLError(e, request=request) SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676) 2018-05-10 13:40:52,444 - Illumio_MODINPUT - INFO - Completed execution of threads.
We finally have this working in our environment on TA-Illumio 2.1.0. It was not working on 2.0.1, so I imagine it may not have earlier either.
We had to use the double backslash in the "Custom (self-signed) certificate path":
If you use Firefox to access your Illumio server, you should be able to download the root certificate chain directly
a. Click on the padlock in the url bar
b. Examine the "Secure Connection" and then click "More Information"
c. A dialog box pops open (at leat, on Mac OS-X) and there is a "View Certificate" button
d. Click on View Certificate, click on Details. You will see the certificate chain.
Now, highlight the root cert (at the very top), and then click the "Export" button. This will download the entire root certificate chain in PEM format.
Upload this certificate to your Splunk server in a location that is accessible. Provide the full path to this certificate in the Data Input and save the data input.
This should resolve the issue.
Did you try to upload the Root CA certificate somewhere where Splunk has read permissions and then set this parameter in the input config?
Certificate Path When a self-signed SSL certificate is used with the PCE, its SSL Certificate needs to be uploaded onto Splunk Server and the full path to directory containing the certificate should be provided here.
I uploaded the Root CA cert to the Splunk server and believe read permissions were set. On Windows server what permissions do I need to give the file so Splunk can have read access? The Splunk processes run as local System so I assumed local system was the rights the file needed or am I missing something.
Yeah, that is basically local admin, and should be fine, unless you did something really weird.
Did you set the path to those files in the input settings? Maybe on Windows you need to do something strange, like doubling the
\s, or replacing
/ - nothing I can actually point you to, but all of those have happened to me in the past, so it's worth to give them a try.