Re: Splunk WEB: ERROR HTTPServer - SSL context co...

scc00 · ‎03-18-2019

Running into the following errors when configuring and restarting splunk using third party certificates. All configurations follow Splunk's instructions found here. https://docs.splunk.com/Documentation/Splunk/7.0.3/Security/Howtogetthird-partycertificates#Request_...

Web.conf
[settings]
enableSplunkWebSSL = 1
serverCert = /opt/splunk/etc/etc/auth/certnew.cer
privKeyPath = /opt/splunk/etc/auth/privatekey.key
httpport = 8000

Server.conf

[sslConfig]
sslPassword = whateveriwant
sslRootCAPath = /opt/splunk/etc/auth/labca.pem
serverCert = /opt/splunk/etc/auth/server.pem
sslVersions = tls1.2

Errors within Splunkd.log:
03-18-2019 13:48:21.609 -0400 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/etc/auth/certnew.cer errno=33558530 error:02001002:system library:fopen:No such file or directory
03-18-2019 13:48:21.609 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

Any ideas why this is happening? Permissions are correct. The splunk user has access to read and write the necessary files.

nickhills · ‎03-18-2019

Oh wait - there is a typo in the filename.

/opt/splunk/etc/etc/auth/certnew.cer

should be

/opt/splunk/etc/auth/certnew.cer

If my comment helps, please give it a thumbs up!

scc00 · ‎03-18-2019

Good catch. Thanks for that. 🙂

But i'm getting this error now:

03-18-2019 14:53:29.048 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.074 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/certnew.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/defendsh.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
03-18-2019 14:53:29.668 -0400 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong

nickhills · ‎03-18-2019

I don't see an sslPassword = whatever you set it to in your web.conf in your initial post.
Is that an omission from the paste?

If my comment helps, please give it a thumbs up!

scc00 · ‎03-18-2019

So I haven't use it since it's optional and only required if the private key had a password, which mine does not. I removed immediately after creating it.

nickhills · ‎03-18-2019

Is the .cer file a PEM or DER encoded certificate?
It looks like Splunk is struggling to read it, so you might need to convert it to base64 PEM

If you open the .cer in a text editor, does it start with -----BEGIN CERTIFICATE-----
If not, you need to convert it.

If my comment helps, please give it a thumbs up!

scc00 · ‎03-18-2019

So it's a base 64 PEM file and starts like this:

-----BEGIN CERTIFICATE-----

Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Splunk WEB: ERROR HTTPServer - SSL context could not be created and ERROR SSLCommon - Can't read certificate file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions