Splunk Enterprise

Splunk web server fails to load when using Internal certificate

Explorer

I'm trying to configure SSL encryption for my Splunk Light VM instance.

Here is my web.conf file:

[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.key>
serverCert = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.pem>

Both .key and .pem file are owned by splunk:splunk and have read priv for all. I followed the instructions at (http://wiki.splunk.com/Community:SplunkWebSSLSelfSignedCert_NewRootCA), except for the actual generation and signing of the cert. I have my own Internal CA that I issued the splunk cert with. I created the .pem file by concatenating the splunk.lab.omni.crt file with my CA's .crt file (server first, then root CA).

I dont have enough karma to attach files, so if you want my web_services.log file, I'm not sure how to show it other than a big messy post. I don't see any errors. It acknowledges my .pem and .key files. When I restart splunk, everything passes except at the end it hangs at "Waiting for web server at https://127.0.0.1:443 to be available.." Web access times out, and netstat shows a "CLOSE_WAIT" as the status of my attempted connection.

Any idea what is wrong??

0 Karma

Explorer

Actually, it was the <> surrounding the file paths that is the culprit. Removing them fixed the issue.

I had referenced this page (https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate), which shows these brackets surrounding the file paths in the "Configure Splunk Web to use the key and certificate files" section. Perhaps this document should be amended?

Splunk Employee
Splunk Employee

If you can send that pointer to the Docs team they will check it out! There's a box at the bottom of docs pages to submit comments or feedback.

0 Karma

Splunk Employee
Splunk Employee

PS you can accept your own solution for karma points 🙂

0 Karma

Splunk Employee
Splunk Employee

Hey @Willman42, here's some further documentation. https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate I'm not an expert (just an Answers moderator), but I do see a discrepancy in your enableSplunkWebSSL = 1 line -- it says "true" in the documentation. Hope this helps! If you'd like to include the web_services.log file and can remove any materials that could be privacy sensitive I can attach that for you.

Explorer

Also, I tested using a .crt file in the serverCert field of my web.conf file, and it works fine. So Splunk does NOT need a .pem file here, nor does it need the CA's certificate concatenated with it. Perhaps this should be reflected in Splunk documentation as well.

0 Karma

Explorer

Oh I see. I'm not sure how it was set to 1 because I never edited that line. I see also in my
$SPLUNK_HOME/etc/system/default/web.conf that it is set to boolean as well. Thanks for the pointer!

0 Karma