I'm trying to configure SSL encryption for my Splunk Light VM instance.
Here is my web.conf file:
[settings] enableSplunkWebSSL = 1 httpport = 443 privKeyPath = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.key> serverCert = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.pem>
Both .key and .pem file are owned by
splunk:splunk and have read priv for all. I followed the instructions at (http://wiki.splunk.com/Community:SplunkWebSSLSelfSignedCert_NewRootCA), except for the actual generation and signing of the cert. I have my own Internal CA that I issued the splunk cert with. I created the
.pem file by concatenating the
splunk.lab.omni.crt file with my CA's
.crt file (server first, then root CA).
I dont have enough karma to attach files, so if you want my
web_services.log file, I'm not sure how to show it other than a big messy post. I don't see any errors. It acknowledges my
.key files. When I restart splunk, everything passes except at the end it hangs at "Waiting for web server at https://127.0.0.1:443 to be available.." Web access times out, and netstat shows a "CLOSE_WAIT" as the status of my attempted connection.
Any idea what is wrong??
Hey @Willman42, here's some further documentation. https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate I'm not an expert (just an Answers moderator), but I do see a discrepancy in your enableSplunkWebSSL = 1 line -- it says "true" in the documentation. Hope this helps! If you'd like to include the web_services.log file and can remove any materials that could be privacy sensitive I can attach that for you.
Oh I see. I'm not sure how it was set to 1 because I never edited that line. I see also in my
$SPLUNK_HOME/etc/system/default/web.conf that it is set to boolean as well. Thanks for the pointer!
Also, I tested using a
.crt file in the
serverCert field of my
web.conf file, and it works fine. So Splunk does NOT need a
.pem file here, nor does it need the CA's certificate concatenated with it. Perhaps this should be reflected in Splunk documentation as well.
Actually, it was the
<> surrounding the file paths that is the culprit. Removing them fixed the issue.
I had referenced this page (https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate), which shows these brackets surrounding the file paths in the "Configure Splunk Web to use the key and certificate files" section. Perhaps this document should be amended?
If you can send that pointer to the Docs team they will check it out! There's a box at the bottom of docs pages to submit comments or feedback.