The files are available here: https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90
THe FAQ sent by Splunk for expiry on July 21, 2016:
Dear Splunker,
Enclosed are remediation steps for the expiration of default certs shipped
with Splunk 6.2 and earlier.
Please let us know if these steps were helpful.
SUMMARY OF THE ISSUE
In a nutshell, default certificates shipped with 6.2 and earlier versions
of Splunk have expired and will affect communications between Splunk
components:
HTTPS - between browser and Splunk will fail if the following is set:
webconf: EnableSplunkWebSSL, confirm default certs are targeted in
privKeyPath and caCertPath. See workflows provided. You will want to swap
out the default certs (download at link below) or run the s-renewalcerts scripts.
UF and IDX - This will fail IF SSL is set for the type of connection
between the forwarder and indexers. FYI, dire error messages will be
written to logs even if communications between fwd-idx are working just
fine. You will want to swap out the default certs (download at link below) or run the
s-renewalcerts scripts.
Most Everything else (Deployment Server - Deployment Client, License
Master to License Slave, Distributed Search Server-Client, Search Head to
Search Peers) will be able to be turned off with the following flags:
Forwarder (client)
sslVerifyServerCert = false
Indexer (server)
requireClientCert = false
First Response FAQ
Q: Am I using SSL to encrypt between the forwarder and indexer?
A: Run this search on the indexer and a true result will confirm use of
SSL to encrypt communications between the forwarders and indexers indicated.
index=_internal source=metrics.log group=tcpin_connections | dedup
hostname | table hostname sourceIp fwdType version destPort ssl
If the results are false, forwarder - index traffic will not fail.
Q: How do I check the expiration for all certs on the customer's system?
A: A quick way to check all expiration dates for all certs under
$SPLUNK_HOME/etc:
$SPLUNK_HOME/etc/$ find ./ -name '*.pem' -exec openssl x509 -in '{}'
-noout -enddate \;
Q: What are my options for immediate remediation?
A: Run the script provided in the advisory.
The advisory:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-lig
ht-and-hunk-pre-63.html
Or, manually swap out the expired default certs with default certs
provided here:
https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90
See steps below.
Q: What if I can't get the script to work? Do we have manual
steps?
A: Yes. Here they are:
1) Stop Splunk
2) Back up (note permissions/ownership, very important!!) and then remove:
· ./etc/auth/ca.pem
· ./etc/auth/cacert.pem
· ./etc/auth/server.pem
3) Copy over the new versions of the following from
https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90
· ./etc/auth/ca.pem
· ./etc/auth/cacert.pem
· Do not copy over server.pem
4) Confirm permissions and ownership of 3).
5) Restart Splunk.
A new server.pem is generated. You're done.
Q: How can I tell which SSL parameters have been set in my
configuration files?
A: We recommend using btool along with grep
splunk btool server list --debug | grep blargh
Check for:
[sslConfig]
enableSplunkdSSL = true
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
sslVerifyServerCert = true
splunk btool outputs list --debug
[tcpout:splunkssl]
sslCertPath = $SPLUNK_HOME/etc/auth/server.pems
RootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
splunk btool inputs list --debug
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
[splunktcp-ssl:]
Additional Resources
The advisory:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html
Download the script:
http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip
Splunk Wikis:
http://wiki.splunk.com/Community:SplunkWeb_SSL_DefaultCerts
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts
Thank you,
The Global Customer Support Team
... View more