- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: Why is X509 certificate default using warning?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is X509 certificate default using warning?
Our Splunk rep walked us through setting up SSL for our Splunk server communication with each other and for our Universal Forwarders to connect to our Indexer. However, we still get the warning X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA)
In addition, Nessus scans find the default Splunk certificate on all of the systems with Universal Forwarders.
We have SSL certificates created by our government agency's CA.
I have verified that our indexer's server.conf is pointing sslRootCAPath to our CA's pem.
I have verified that our indexer's inputs.conf is pointing serverCert at our server's pem.
I have verified that our universal forwarders' outputs.conf have clientCert pointing at our server's pem, which is located on each system in C:\Program Files\SplunkUniversalForwarder\etc\auth.
I have verified that our universal forwarders' outputs.conf have sslRootCAPath pointing at our CA's pem, which is located on each system in C:\Program Files\SplunkUniversalForwarder\etc\auth.
Why do we still get this warning? Are we missing a setting somewhere?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mommyfixit By the way, are you getting the cert error on GUI or at the backend. Please ensure the settings mentioned in the below link is intact.
One point, ensure EnableSSL=true setting in web.conf if you're getting the error in GUI.
Just trying to help. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
where do you get this error ? indexers ? Universal forwarders ? What about other components like sh, cm,...?
On the uf, you should have done configuration in server.conf to change the trusted CA to your and usually provide a throwaway uf certificate
On the indexer, you dont say that you configured the server cert in server.conf. Is that done ? (server.conf -> [sslConfig] -> serverCert )
Obviously, you need to do the same on all other components (sh, ...) as that will change the certificate for splunk management communications on port 8089
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are getting this error on the Universal Forwards on Windows endpoints. Our rep didn't mention a server.conf on the endpoints...would that go in our forwarder outputs app? We configured the certs in outputs.conf, but there is no server.conf in that app.
Yes, on the Indexer, we have server.conf configured with:
enableSplunkdSSL = true
serverCert = (our indexer's cert)
sslRootCAPath = (our server chain)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it works as expected.
If you configure only outputs, you change what is used to send data but not the CA Splunk software trust internally.
For this you need to configure in server.conf
I would not put this in a output app but probably create a app for uf specific custom configuration
Once you have server.conf configured, you may simplified outputs configuration when the TLS configuration is the same (as it will use server.conf first)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went onto one of the Universal Forwarders and modified server.conf with the following:
[sslConfig]
enableSplunkdSSL = true
sslVersions = tls1.2
sslVerifyServerCert = true
sslCommonNameToCheck = (indexer server name)
clientCert = (path to indexer certificate)
sslRootCAPath = (path to indexer chain cert)
This didn't make any difference. Same error message. The forwarder still works, but it is still giving me that message. Did I configure the right settings? Should the server.conf on the universal forwarders be a copy of the server.conf on the indexer, or is there something different between the two?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, although it is still sending events to the indexer, and the error is still there, it has quit communicating with the management server. So configuring server.conf the way I just did was definitely the wrong solution. I added the name of the management server to sslCommonNameToCheck and removed clientCert (since it had the indexer's cert path in there). This didn't help - I'm going to have to put server.conf back the way it was so it starts communicating with the management server again.
I'm going to need some very specific guidance to get this working. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How you have checked those values, just looking from those files or using btool? If the 1st one then I propose you to use btool to ensure that those files&configs are those which splunk is using.
splunk btool server list --debug|egrep '(SSL|Cert|CA|ssl)'And same for other files like inputs, outputs (just replace server on above command).
That shows to you from which file splunk get those values and what those are.
r. Ismo
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
