Re: Splunk apps: How do you resolve certificate ve...

SplunkIT3337 · ‎01-03-2018

I've searched the similar questions and did not find a direct answer.
I have a Splunk APP (Code42) that fails because of SLL verification issues.

"file=RESTClient.py:error:319 message="message="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" exception_type="SSLError" exception_arguments="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" filename="code42_clients.py" line="180"""

The certificate on the server, where the app is pulling data from, is self-signed. We cannot change that unfortunately. Within the Splunk application where do add this certificate so Splunk and all associated apps will trust the cert?

I've checked and made changes to this file, Documentation/Splunk/latest/Admin/Serverconf, however they have not been successful. I want to verify the app's cert, and not ignore certificate failures.

georgen_splunk · ‎01-22-2019

version = 3.0.6
decided to disable certificate verification as a workaround:
edit $SPLUNK_HOME/etc/apps/Code42ForSplunk/bin/code42.py
navigate to line 125

"verify_certificate": True,

to

"verify_certificate": False,

SC says this is insecure, but an acceptable hack for now given our ultra-secure environment.

rrthokala · ‎11-08-2018

appended the cert information to cacert.pem in python lib to make it work.

makelovenotwar · ‎06-21-2023

@rrthokala wrote:
appended the cert information to cacert.pem in python lib to make it work.

where is this python lib located?

burakcinar · ‎01-03-2018

if you cant change self-signed ssl , you need to export your certificate (including the private key) and install it to splunk server.

i assume that code42 is related with crashplan and they have documentation for ssl implementation. ( check: https://support.code42.com/Administrator/6/Configuring/Install_your_own_SSL_certificate_with_OpenSSL )

SplunkIT3337 · ‎02-02-2018

We have changed the certificate to one issued by a trusted CA (Entrust). However Splunk OpenSSL does not seem to like Entrust and still gives the same errors: After running this command to find the cert store, I've hit a block, and still cannot find where I can install the certificate that would allow Splunk > Python > OpenSSL instance to trust the certificate. I would not like to go the route of telling Splunk to ignore all cert errors. The path /home/build, does not exist,

Here is the connection test command:

./splunk cmd openssl s_client -connect SITENAME:PORT | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G3
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
/opt/splunk/bin# ./splunk cmd python -c "import ssl;print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/home/build/build-home/splunk-home/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/home/build/build-home/splunk-home/openssl/certs')

spluzer · ‎10-26-2020

Any update to this?

rrthokala · ‎11-08-2018

whats the solution for this problem?

SplunkIT3337 · ‎01-04-2018

Ubuntu 14.04 LTS

SplunkIT3337 · ‎01-04-2018

Where would I install the key on the Splunk side? The article seems to mention setting up they cert on the CrashPlan server, which we already have. The Splunk app, will not validate the certificate though. On the Splunk server we have tried adding the certificate to the appsca.pem file, however that has not fixed the issue.

burakcinar · ‎01-04-2018

which OS are you using for splunk ?

Splunk apps: How do you resolve certificate verification errors?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?