Security

Splunk apps: How do you resolve certificate verification errors?

SplunkIT3337
Explorer

I've searched the similar questions and did not find a direct answer.
I have a Splunk APP (Code42) that fails because of SLL verification issues.

"file=RESTClient.py:error:319 message="message="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" exception_type="SSLError" exception_arguments="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" filename="code42_clients.py" line="180"""

The certificate on the server, where the app is pulling data from, is self-signed. We cannot change that unfortunately. Within the Splunk application where do add this certificate so Splunk and all associated apps will trust the cert?

I've checked and made changes to this file, Documentation/Splunk/latest/Admin/Serverconf, however they have not been successful. I want to verify the app's cert, and not ignore certificate failures.

georgen_splunk
Splunk Employee
Splunk Employee

version = 3.0.6
decided to disable certificate verification as a workaround:
edit $SPLUNK_HOME/etc/apps/Code42ForSplunk/bin/code42.py
navigate to line 125

"verify_certificate": True,

to

"verify_certificate": False,

SC says this is insecure, but an acceptable hack for now given our ultra-secure environment.

0 Karma

rrthokala
New Member

appended the cert information to cacert.pem in python lib to make it work.

0 Karma

burakcinar
Path Finder

if you cant change self-signed ssl , you need to export your certificate (including the private key) and install it to splunk server.

i assume that code42 is related with crashplan and they have documentation for ssl implementation. ( check: https://support.code42.com/Administrator/6/Configuring/Install_your_own_SSL_certificate_with_OpenSSL )

0 Karma

SplunkIT3337
Explorer

We have changed the certificate to one issued by a trusted CA (Entrust). However Splunk OpenSSL does not seem to like Entrust and still gives the same errors: After running this command to find the cert store, I've hit a block, and still cannot find where I can install the certificate that would allow Splunk > Python > OpenSSL instance to trust the certificate. I would not like to go the route of telling Splunk to ignore all cert errors. The path /home/build, does not exist,

Here is the connection test command:

./splunk cmd openssl s_client -connect SITENAME:PORT | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G3
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
/opt/splunk/bin# ./splunk cmd python -c "import ssl;print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/home/build/build-home/splunk-home/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/home/build/build-home/splunk-home/openssl/certs')

spluzer
Communicator

Any update to this?

0 Karma

rrthokala
New Member

whats the solution for this problem?

0 Karma

SplunkIT3337
Explorer

Ubuntu 14.04 LTS

0 Karma

SplunkIT3337
Explorer

Where would I install the key on the Splunk side? The article seems to mention setting up they cert on the CrashPlan server, which we already have. The Splunk app, will not validate the certificate though. On the Splunk server we have tried adding the certificate to the appsca.pem file, however that has not fixed the issue.

0 Karma

burakcinar
Path Finder

which OS are you using for splunk ?

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...