Security

Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

scc00
Contributor

Running into the following errors when configuring and restarting splunk using third party certificates. All configurations follow Splunk's instructions found here. https://docs.splunk.com/Documentation/Splunk/7.0.3/Security/Howtogetthird-partycertificates#Request_...

Web.conf
[settings]
enableSplunkWebSSL = 1
serverCert = /opt/splunk/etc/etc/auth/certnew.cer
privKeyPath = /opt/splunk/etc/auth/privatekey.key
httpport = 8000

Server.conf

[sslConfig]
sslPassword = whateveriwant
sslRootCAPath = /opt/splunk/etc/auth/labca.pem
serverCert = /opt/splunk/etc/auth/server.pem
sslVersions = tls1.2

Errors within Splunkd.log:
03-18-2019 13:48:21.609 -0400 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/etc/auth/certnew.cer errno=33558530 error:02001002:system library:fopen:No such file or directory
03-18-2019 13:48:21.609 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

Any ideas why this is happening? Permissions are correct. The splunk user has access to read and write the necessary files.

0 Karma

nickhills
Ultra Champion

Oh wait - there is a typo in the filename.

/opt/splunk/etc/etc/auth/certnew.cer

should be

/opt/splunk/etc/auth/certnew.cer

If my comment helps, please give it a thumbs up!
0 Karma

scc00
Contributor

Good catch. Thanks for that. 🙂

But i'm getting this error now:

03-18-2019 14:53:29.048 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.074 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/defendsh.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

0 Karma

nickhills
Ultra Champion

I don't see an sslPassword = whatever you set it to in your web.conf in your initial post.
Is that an omission from the paste?

If my comment helps, please give it a thumbs up!
0 Karma

scc00
Contributor

So I haven't use it since it's optional and only required if the private key had a password, which mine does not. I removed immediately after creating it.

0 Karma

nickhills
Ultra Champion

Is the .cer file a PEM or DER encoded certificate?
It looks like Splunk is struggling to read it, so you might need to convert it to base64 PEM

If you open the .cer in a text editor, does it start with -----BEGIN CERTIFICATE-----
If not, you need to convert it.

If my comment helps, please give it a thumbs up!
0 Karma

scc00
Contributor

So it's a base 64 PEM file and starts like this:

-----BEGIN CERTIFICATE-----

0 Karma