Solved: How to make the https splunk web load with self-si...

LinghGroove · ‎02-09-2023

Hello everybody, can you please tell where i am making errors? I can't make the https splunk web load with my self signed certificate.

I have a test environment, one Splunk Server where i have executed the following steps:

mkdir $SPLUNK_HOME/etc/auth/mycerts
cd $SPLUNK_HOME/etc/auth/mycerts

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out CAPK.key 2048 # Root CA private key
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key CAPK.key -out CACSR.csr # Root CA signing request
# a this point in the Common Name i have tried putting everything, hostname, private ip, localhost, ecc but i doesn't seem to make any difference
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in CACSR.csr -sha512 -signkey CAPK.key -CAcreateserial -out CACE.pem -days 1095 # my CA certificate

$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out DEPPK.key 2048 # i have configured the same password for both keys but i doesn't seem to be the problem
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key DEPPK.key -out DEPCSR.csr # for the Common Name value i have tried the same things for the CA
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in DEPCSR.csr -SHA256 -CA CACE.pem -CAkey CAPK.key -CAcreateserial -out DEPCE.pem -days 1095

cat DEPCE.pem DEPPK.key CACE.pem > DEPCEchain.pem

# in the /opt/splunk/etc/system/local/web.conf i have written: 
[settings]
enableSplunkWebSSL = true
privKeyPath = /opt/splunk/etc/auth/mycerts/DEPPK.key
serverCert = /opt/splunk/etc/auth/mycerts/DEPCEchain.pem
startwebserver = 1
httpport = 8000

# to see if the connection to the server is going well i use  
openssl s_client -connect 192.168.1.11:8000
# OR
 openssl s_client -connect 127.0.0.1:8000
# and it says CONNECTED(00000003) unfortunatly if i try to navigate splunk web on https it doesn't load
# i have tried putting the certificates inside /opt/splunk/etc/auth/splunkweb and then colling them in web.conf but nothing happens
# this is what is written inside server.conf:

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/mycerts/CertificateAuthorityCertificate.pem
sslPassword = $7$7OQ1bcyW5b53gGJ/us2ExVKxerWlcolKjoS1j7pZ05QpmNmIUt7NQw==

I don't know what to try next, i can't find a solution, no matter what i try it won't load on splunk web.

Maybe it can help saying that i call https://192.168.1.11:8000/ on the browser. Even tried putting sslPassword inside web.conf with the key password but nothing changed.

LinghGroove · ‎02-13-2023

Pretty dumb mistake. I have removed my root CA in the server.conf and I edited the password back to the default value "password".

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/mycerts/CertificateAuthorityCertificate.pem
sslPassword = $7$7OQ1bcyW5b53gGJ/us2ExVKxerWlcolKjoS1j7pZ05QpmNmIUt7NQw==

In the web.conf i was forgetting to put the certificate password so i just added:

sslPassword = myselfsignedpassword

It works.

View solution in original post

LinghGroove · ‎02-13-2023

Pretty dumb mistake. I have removed my root CA in the server.conf and I edited the password back to the default value "password".

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/mycerts/CertificateAuthorityCertificate.pem
sslPassword = $7$7OQ1bcyW5b53gGJ/us2ExVKxerWlcolKjoS1j7pZ05QpmNmIUt7NQw==

In the web.conf i was forgetting to put the certificate password so i just added:

sslPassword = myselfsignedpassword

It works.

How to make the https splunk web load with self-signed certificate?

authentication

encryption

login

permissions

SSL

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?