I'm trying to configure SSL encryption for my Splunk Light VM instance.
Here is my web.conf file:
[settings] enableSplunkWebSSL = 1 httpport = 443 privKeyPath = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.key> serverCert = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.pem>
Both .key and .pem file are owned by
splunk:splunk and have read priv for all. I followed the instructions at (http://wiki.splunk.com/Community:SplunkWebSSLSelfSignedCert_NewRootCA), except for the actual generation and signing of the cert. I have my own Internal CA that I issued the splunk cert with. I created the
.pem file by concatenating the
splunk.lab.omni.crt file with my CA's
.crt file (server first, then root CA).
I dont have enough karma to attach files, so if you want my
web_services.log file, I'm not sure how to show it other than a big messy post. I don't see any errors. It acknowledges my
.key files. When I restart splunk, everything passes except at the end it hangs at "Waiting for web server at https://127.0.0.1:443 to be available.." Web access times out, and netstat shows a "CLOSE_WAIT" as the status of my attempted connection.
Any idea what is wrong??
Actually, it was the
<> surrounding the file paths that is the culprit. Removing them fixed the issue.
I had referenced this page (https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate), which shows these brackets surrounding the file paths in the "Configure Splunk Web to use the key and certificate files" section. Perhaps this document should be amended?
Hey @Willman42, here's some further documentation. https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate I'm not an expert (just an Answers moderator), but I do see a discrepancy in your enableSplunkWebSSL = 1 line -- it says "true" in the documentation. Hope this helps! If you'd like to include the web_services.log file and can remove any materials that could be privacy sensitive I can attach that for you.
Also, I tested using a
.crt file in the
serverCert field of my
web.conf file, and it works fine. So Splunk does NOT need a
.pem file here, nor does it need the CA's certificate concatenated with it. Perhaps this should be reflected in Splunk documentation as well.
Oh I see. I'm not sure how it was set to 1 because I never edited that line. I see also in my
$SPLUNK_HOME/etc/system/default/web.conf that it is set to boolean as well. Thanks for the pointer!