This is driving me nuts, I'm trying to setup splunk stream for netflow.
I've uploaded the app and at the end of the upload it gives me an error: Error connecting to /servicse/apps/local: timed out
Nonetheless one of the messages prompts me to restart Splunk so I do. And I see the Splunk Stream app but when I go to it, it comes up blank. The logs say
2019-11-06 09:25:36 ERROR 140167464486656 stream.CaptureServer - Unable to ping server (9c5d65be-af86-4b47-b0e3-cb31198ab475): /en-us/custom/splunk_app_stream/ping/ status=404
Why would I be getting 404 errors on a default install?
the splunk system local web.conf has the httpport set 8000
if I wget the URL on localhost:8000 I get
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-11-06 09:31:39 ERROR 404: Not Found.
... View more
Running Splunk 6.5.2 & 6.5.3,
We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA.
I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true".
I've tried several things.
Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem
Converted to pem format
Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem
Now I've tried a couple of variations here,
I've tried chaining the rootCA together such as the following:
cat policyCA.pem >> issuingCA.pem
cat rootCA.pem >> issuingCA.pem
mv issuingCA.pem cacert.pem
with the config:
serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above)
sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem
I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem
verified the server cert is signed correctly
Did this on both the forwarder and indexer and it failed.
Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath.
That didn't work either. I get:
10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose"
10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
The Certs generated have the following:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
and further down..
X509v3 Extended Key Usage:
TLS Web Server Authentication
Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting...
... View more