I tried to include my own certificates to encrypt forwarder to indexer communications via an app. However, the forwarder was not able to read the cert from $SPLUNK_HOME/etc/apps/myapp/local. The forwarder would only use the certs if located under $SPLUNK_HOME/etc/certs.
Are SSL certificates one of those items that cannot be bundled in a Splunk app?
you are correct. those items can not be in Splunk apps, and must be distributed to $SPLUNK/etc/auth. If you are using deployment server to distribute apps, you must use some other way to distribute the certificates.
We have our certs deployed via an app. In our ouputs, we just point to the app path as the cert path and it works fine. Alternatively, you can deploy and script with the cert and move the cert from the app into $SPLUNK_HOME/etc/auth using the script.
I can verify I have seen other customers push certs via APPS and then just update the path in a .conf file in that app. You can even reference the certs with ./
I know a place that has been doing this since the 5.x days
I know this is an older post so I understand if my question gets batted to the side. But is there a technical reason as to why you can't have certificates located in an app directory? It just seems like a way more intuitive way to deploy SSL related configurations as opposed to using something like ansible or GPOs.
Thanks!
you are correct. those items can not be in Splunk apps, and must be distributed to $SPLUNK/etc/auth. If you are using deployment server to distribute apps, you must use some other way to distribute the certificates.
Thanks for confirming my suspicion.