Splunk Enterprise

SSL checker automatic mode not capturing all the pem files located in /opt/splunk/etc/auth directory

nveer1023
Observer

Issues with the SSL Checker app modes:

SSL checker auto mode:

SSL checker is not capturing all the pem files located in /opt/splunk/etc/auth directory

SSL checker manual mode:

SSL checker is working fine in the manual mode and getting the end date of certs when given the location of the cert paths with comma separated values but throwing the following error.

Error: Invalid key in stanza [SSLConfiguration] in /opt/splunk/etc/apps/ssl_checker/local/ssl.conf

@jkat54 can you please address the issue

We are using the ssl_checker app version 3.2 and we are on splunk enterprise 7.3.8

 

Thanks

Labels (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust

Auto mode only scans for certs that are in use in your default and local conf files that possibly contain links to pem files.

that is to say, if you're using the cert in web, server, inputs, outputs,  Distsearch, conf files, the ssl checker app in auto mode, will discover you have specified a cert in one of those files and index its expiration date.

0 Karma

nveer1023
Observer

For example the directory /opt/splunk/etc/auth had server.pem file, I have added .pem file from other machine to this directory, is that supposed to get the expiration details of the newly added .pem file ??

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you're using server.pem in any of those config files then yes.

0 Karma

nveer1023
Observer

Thanks for your immediate response.

We had few .pem files from other machines to be monitored in the manual mode.

So we did gave the path in the web ui with comma separated values and copied .pem files in a common location, I was able to see the expiration details but in the backend I was seeing the below error. Can you please let me know why the error is being created.

Invalid key in stanza [SSLConfiguration] in /opt/splunk/etc/apps/ssl_checker/local/ssl.conf

local ssl.conf configuration:

[SSLConfiguration]
disabled = 0
certPaths = /opt/splunk/etc/auth/sslchecker/<host1>.pem, /opt/splunk/etc/auth/sslchecker/<host2>.pem, /opt/splunk/etc/auth/sslchecker/<host3>.pem, /opt/splunk/etc/auth/sslchecker/<host4>.pem

 

0 Karma

jkat54
SplunkTrust
SplunkTrust

Where does this error appear? 

0 Karma

nveer1023
Observer

when I run the btool I see the error and i also see the error in internal logs

/opt/splunk/bin/splunk cmd btool check | grep SSL
Invalid key in stanza [SSLConfiguration]

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does the error cause any other issues?  You have the data... sounds like the app works, it's just missing the conf.spec file or something.  I wouldn't worry too much about it if I were you, and I'm happy to add it to the bug list

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...