Security

Splunk apps: How do you resolve certificate verification errors?

Explorer

I've searched the similar questions and did not find a direct answer.
I have a Splunk APP (Code42) that fails because of SLL verification issues.

"file=RESTClient.py:error:319 message="message="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" exception_type="SSLError" exception_arguments="[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)" filename="code42_clients.py" line="180"""

The certificate on the server, where the app is pulling data from, is self-signed. We cannot change that unfortunately. Within the Splunk application where do add this certificate so Splunk and all associated apps will trust the cert?

I've checked and made changes to this file, Documentation/Splunk/latest/Admin/Serverconf, however they have not been successful. I want to verify the app's cert, and not ignore certificate failures.

Splunk Employee
Splunk Employee

version = 3.0.6
decided to disable certificate verification as a workaround:
edit $SPLUNK_HOME/etc/apps/Code42ForSplunk/bin/code42.py
navigate to line 125

"verify_certificate": True,

to

"verify_certificate": False,

SC says this is insecure, but an acceptable hack for now given our ultra-secure environment.

0 Karma

New Member

appended the cert information to cacert.pem in python lib to make it work.

0 Karma

Path Finder

if you cant change self-signed ssl , you need to export your certificate (including the private key) and install it to splunk server.

i assume that code42 is related with crashplan and they have documentation for ssl implementation. ( check: https://support.code42.com/Administrator/6/Configuring/Install_your_own_SSL_certificate_with_OpenSSL )

0 Karma

Explorer

We have changed the certificate to one issued by a trusted CA (Entrust). However Splunk OpenSSL does not seem to like Entrust and still gives the same errors: After running this command to find the cert store, I've hit a block, and still cannot find where I can install the certificate that would allow Splunk > Python > OpenSSL instance to trust the certificate. I would not like to go the route of telling Splunk to ignore all cert errors. The path /home/build, does not exist,

Here is the connection test command:

./splunk cmd openssl s_client -connect SITENAME:PORT | awk '/Protocol/ || /Cipher/ || /Verify/'
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G3
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
/opt/splunk/bin# ./splunk cmd python -c "import ssl;print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/home/build/build-home/splunk-home/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/home/build/build-home/splunk-home/openssl/certs')
0 Karma

New Member

whats the solution for this problem?

0 Karma

Explorer

Ubuntu 14.04 LTS

0 Karma

Explorer

Where would I install the key on the Splunk side? The article seems to mention setting up they cert on the CrashPlan server, which we already have. The Splunk app, will not validate the certificate though. On the Splunk server we have tried adding the certificate to the appsca.pem file, however that has not fixed the issue.

0 Karma

Path Finder

which OS are you using for splunk ?

0 Karma