To start with, I am not good with SSL issues. Second, I inherited this instance of Splunk with no documentation of any kind so I'm reverse engineering everything.
That being said, another team in my company sent me the following notice from Hobbit;
SSL certificate for https://nn.nn.nn.nn:8000/ expires in 9 days Server certificate: subject:/CN=<indexer name>/O=SplunkUser start date: 2011-08-09 20:55:35 GMT expire date:2014-08-08 20:55:35 GMT key size:1024 issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddressfirstname.lastname@example.org
I don't know how they set this up or where they are getting this information. So I get on the server and follow a procedure that I received from Splunk support a while ago to regenerate certs;
If you were using the stock certificates, you can regenerate them with this method : - to recreate a new splunkweb certificate : delete (or move) the files $SPLUNK_HOME/etc/auth/splunkweb/cert.pem and privkey.pem and restart splunk - to recreate a new splunkd certificate delete (or move) the files $SPLUNK_HOME/etc/auth/server.pem and restart splunk
I did this but I'm still seeing the Hobbit message. So I run a grep for "[sslConfig]" to see if I can trace down the issue. What I find is this;
In "etc/system/local/server.conf": [sslConfig] sslKeysfilePassword = <secret code> In "var/run/splunk/merged/server.conf": [sslConfig] caCertFile = cacert.pem caPath = $SPLUNK_HOME/etc/auth certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM enableSplunkdSSL = true sslKeysfile = server.pem sslKeysfilePassword = <sceret code> supportSSLV3Only = false useClientSSLCompression = true useSplunkdClientSSLCompression = true
I then look at the "$SPLUNK_HOME/etc/auth/cacert.pem" file and see that it is just over 3 years old. But I don't know if this is where my problem is or not.
What I need to know is how do I check in Splunk what the status is of all my certs, (how old are they etc.) Regenerating what I need will be another issue.
I ran the procedure suggested by Splunk support a second time, and it worked. I don't know why. I guess I can blame it on Solar Flares. The message now reads;
SSL certificate for https://nn.nn.nn.nn:8000/ expires in 1095 days Server certificate: subject:/CN=<indexer name>/O=SplunkUser start date: 2014-07-31 14:23:43 GMT expire date:2017-07-30 14:23:43 GMT key size:1024 issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddressemail@example.com
That output is produced from Hobbit, not Splunk. Hobbit is a variant of BigBrother. I just realized the date on your question. Well I hope this helps anyway. 😄