Security

SSL certificates on each search heads in cluster

sathwikr076
Communicator

Hello,

The SSl certs for search heads are expiring but the cert is valid on our F5 load balance for those search head. we are using third party certs and we tried to add the new certs to web.conf and restart the search heads in rolling restart fashion. when the search heads are UP we could not access the web UI. So, we put back our old certs into web.conf and restarted again and it work. we thought there is problem with the new certs but we could not verify what is exact problem. Please let me know if anyone have any idea about this situation.

Thanks.

0 Karma
1 Solution

sathwikr076
Communicator

we actually got this resolved. earlier the .key file was an encrypted key, so splunk could not read that file when we updated in web.conf. we run this command "openssl rsa -in splunk.pem -out splunk.key" and updated it to all search heads web.conf and it worked. Thanks for your response.

View solution in original post

0 Karma

sathwikr076
Communicator

we actually got this resolved. earlier the .key file was an encrypted key, so splunk could not read that file when we updated in web.conf. we run this command "openssl rsa -in splunk.pem -out splunk.key" and updated it to all search heads web.conf and it worked. Thanks for your response.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

How your SSL termination works ? Do you have different certificate setup on F5 VIP and different certificate on SH in SHC ? Meaning that F5 is terminating SSL session and initiating another encrypted session on upstream servers (In your case SH) ?

0 Karma

sathwikr076
Communicator

Thanks for the response. we have certs generated from same third party on F5 and search heads but the expiring on different dates. now we are good with our old certs on SHs for few more days but we are trying to add the new certs generated by the same third party. We just found that the .pem and .key file we added to the search heads have different name than what we see the original files in the original location. like instead 0f "_" for the file name it changed to ".". do you have any idea if this cause any problem.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Filename generally do not create any issue. It is really hard to understand how you are using F5 to do SSL offloading because you didn't provide my question's answer.

0 Karma

sathwikr076
Communicator

Hello, I am sorry for the late reply. we actually got this resolved. earlier the .key file was an encrypted key, so splunk could not read that file when we updated in web.conf. we run this command "openssl rsa -in splunk.pem -out splunk.key" and updated it to all search heads web.conf and it worked. Thanks for your response.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

That's good, you can convert your comment in answer and then accept your own answer so that it will be helpful for other members in future.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...