Security

Error installing self signed / ca signed certificates in splunk

zerocool443
Explorer

Following is the error after i update web.conf with certificate and keys i have from a CA authority.

Splunk> CSI: Logfiles.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _xxxxxx
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7. 2.3-06d57c595b80-linux-2.6-x86_64-manifest'
File '/opt/splunk/etc/system/default/web.conf' changed.
Problems were found, please review your files and move customizations to local
All preliminary checks passed.

+++ FIX +++

Issue was fixed by copying certificate files to mycert directory i.e default directory with splunk installation. for my case opt/splunk/etc/auth directory, and use the relative path in config file rather than absolute.

0 Karma
1 Solution

zerocool443
Explorer

Issue fixed by copying files to mycert directory in /splunk/etc/auth directory.

and use the relative path in config file rather than absolute.

For some reason config file parser isn't working as expected for absolute path.

View solution in original post

0 Karma

zerocool443
Explorer

Issue fixed by copying files to mycert directory in /splunk/etc/auth directory.

and use the relative path in config file rather than absolute.

For some reason config file parser isn't working as expected for absolute path.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@zerocool443 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zerocool443
Explorer

Ok i found the issue here :
09-17-2019 12:07:58.979 +0530 ERROR SSLCommon - Can't read certificate file /opt/splunk/ errno=33558530 error:02001002:system library:fopen:No such file or directory
09-17-2019 12:07:58.979 +0530 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

This point that splunk is not able to file the find in directory but the file exists there.

Now after i check splunk documentation, i have given an absolute path instead of relative to $SPLUNK_HOME$.

Any splunk devs for rescue ?

0 Karma

zerocool443
Explorer

Issue fixed by copying files to mycert directory in /splunk/etc/auth directory.

and use the relative path in config file rather than absolute.

0 Karma

zerocool443
Explorer

Checking weservice logs for splunk gives no error.

attaching info messages:

2019-09-17 11:30:53,577 INFO [5d807694a97f935f818050] root:657 - CONFIG: privKeyPath (str):
2019-09-17 11:30:53,579 INFO [5d807694a97f935f818050] root:657 - CONFIG: serverCert (str):
2019-09-17 11:39:46,885 INFO [5d8078a9f27fc6d8154090] root:657 - CONFIG: serverCert (str): $SPLUNK_HOME/etc/auth/splunkweb/mycer.pem
2019-09-17 11:42:24,773 INFO [5d807947cb7f7b3b943090] root:657 - CONFIG: serverCert (str): $SPLUNK_HOME/etc/auth/splunkweb/mycer.pem
2019-09-17 11:47:40,686 INFO [5d807a83be7f4170b84090] root:657 - CONFIG: privKeyPath (str):
2019-09-17 11:47:40,688 INFO [5d807a83be7f4170b84090] root:657 - CONFIG: serverCert (str):

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...