Hi Splunkers,
I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization.
Now I logged in to that indexer , i downloaded the new SSL certificate to the same folder where my pem key is there.
went to , etc/system/local and updated the web.conf file as below.
[settings]
startwebserver = 1
caCertPath = etc/auth/cert/sra-index-01-cert.pem
privKeyPath = etc/auth/cert/sra-index-01-PassKey.pem
sendStrictTransportSecurityHeader = true
enableSplunkWebSSL = true
allowSslRenegotiation = false
allowSslCompression = false
now , I need to verify SSL is properly applied to Splunk server or not. When I logged in web UI, I am not able to see valid certificate date , it is still showing previous expired certificate date.
How to verify it or Am I missing anything?
web.conf if for Splunk Web. In order to use this, your private key must be decrypted. Which means, you are able to verify the certificate using ssl and it doesn't prompt you for a password.
But I doubt you need to access your indexer in Splunk Web. When I changed our certificates system-wide these were my notes for Indexers:
---To prevent server from trying to reach Splunk Base for updates--
Etc/system/local/server.conf
[applicationsManagement]
allowInternetAccess = false
---without this, mongod will fail to start.
[kvstore]
serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>.pem
sslPassword = <password_of_serverCert>
[sslConfig]
serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>_.pem
sslPassword = <password_of_serverCert>
sslRootCAPath = $SPLUNK_HOME/etc/auth/rootca/Root_CA.pem
Etc/system/local/inputs.conf
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/receiver/receiver_cert.pem
sslPassword = <password >
sslVersions = -all, tls1.2
Now, if you must access Splunk Web into the indexer:
Etc/system/local/web.conf
Note: Splunk Web will not work with encrypted private key. Ensure you are using decrypted private key and certificate for this configuration.
[settings]
privKeyPath = $SPLUNK_HOME/etc/auth/<servername>/<webServerCert>_webServerCert_priv.key
serverCert = $SPLUNK_HOME/etc/auth/<servername>/< webServerCert>_webServerCert_cert.pem
To export private key decrypted for us in Splunk Web web.conf, you can use the following:
Silly question, but did you restart Splunk after making the changes?
Hi Jacob,
I am not expecting this stupid answer.
Cheers !