Security

Install SSL certificate on Splunk Index cluster master web

Nilesh3110
Explorer

I need to install SSL certificate on splunk Index cluster master web. I created the csr and key on the server and got the certificate from the CA. the certificate provided is in .CRT format. I then got the .PEM format using the below.

cat server_name.csr server_name.key ca_provided_certificate.com.crt > certificate.com.pem

Have updated the web.config file in the local with the below settings .

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.com.pem
    

After saving, when i try restarting the splunk . It stucks starting the web with the below error

Waiting for web server at https://10.0.1.1:8000 to be available...

can someone please help

0 Karma
1 Solution

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Is the provate key encrypted with a password?

Commonly you would set all three of these parameters:

privKeyPath = <path>
* The path to the file containing the web server SSL certificate private key.
* A relative path is interpreted relative to $SPLUNK_HOME and may not refer
  outside of $SPLUNK_HOME (e.g., no ../somewhere).
* You can also specify an absolute path to an external key.
* See also 'enableSplunkWebSSL' and 'serverCert'.
* No default.

serverCert = <path>
* Full path to the Privacy Enhanced Mail (PEM) format Splunk web server certificate file.
* The file may also contain root and intermediate certificates, if required.
  They should be listed sequentially in the order:
    [ Server SSL certificate ]
    [ One or more intermediate certificates, if required ]
    [ Root certificate, if required ]
* See also 'enableSplunkWebSSL' and 'privKeyPath'.
* Default: $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

sslPassword = <password>
* Password that protects the private key specified by 'privKeyPath'.
* If encrypted private key is used, do not enable client-authentication
  on splunkd server. In [sslConfig] stanza of server.conf,
  'requireClientCert' must be 'false'.
* Optional.
* Default: The unencrypted private key.

servercert should contain the certificate issued for your server, followed by any intermediates. You should leave the private key in a seperate file. It should also NOT contain the csr.
You may need to convert the crt file to pem, in which case use this command:

openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

This means your config should look similar to the following

[settings]
enableSplunkWebSSL = true
serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem
    
privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key
sslPassword = your PrivateKey  password
If my comment helps, please give it a thumbs up!

swaroopbr
Engager

No Private key password was not provided.

  1. After using this command
    openssl x509 -in ca_provided_certificate.com.cr -out certificate.pem

  2. Mentioned the below setting in>>/application/splunk/etc/system/local/web.conf
    [settings]
    enableSplunkWebSSL = true
    serverCert = /application/splunk/etc/auth/splunkweb/certificate.pem


    privKeyPath =/application/splunk/etc/auth/splunkweb/server_name.key

  3. Then, I restarted the Splunk Service.

The issue was fixed.

Thank you for your help nickhillscpl

0 Karma

nickhills
Ultra Champion

Thats great news, I have converted my comment to an answer, Please accept it and ^ upvote it if you found it useful so that others in the community can see that it helepd.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...